CVE-2019-19521

libc in OpenBSD 6.6 allows authentication bypass via the -schallenge username, as demonstrated by smtpd, ldapd, or radiusd. This is related to gen/auth_subr.c and gen/authenticate.c in libc (and login/login.c and xenocara/app/xenodm/greeter/verify.c).

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Potential Mitigations

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/114.html
• https://cwe.mitre.org/data/definitions/115.html
• https://cwe.mitre.org/data/definitions/151.html
• https://cwe.mitre.org/data/definitions/194.html
• https://cwe.mitre.org/data/definitions/22.html
• https://cwe.mitre.org/data/definitions/57.html
• https://cwe.mitre.org/data/definitions/593.html
• https://cwe.mitre.org/data/definitions/633.html
• https://cwe.mitre.org/data/definitions/650.html
• https://cwe.mitre.org/data/definitions/94.html

References

• http://packetstormsecurity.com/files/155572/Qualys-Security-Advisory-OpenBSD-Authentication-Bypass-Privilege-Escalation.html
• http://seclists.org/fulldisclosure/2019/Dec/14
• http://www.openwall.com/lists/oss-security/2019/12/04/5
• http://www.openwall.com/lists/oss-security/2019/12/04/6
• https://seclists.org/bugtraq/2019/Dec/8
• https://www.openbsd.org/errata66.html
• https://www.openwall.com/lists/oss-security/2019/12/04/5
• http://packetstormsecurity.com/files/155572/Qualys-Security-Advisory-OpenBSD-Authentication-Bypass-Privilege-Escalation.html
• http://seclists.org/fulldisclosure/2019/Dec/14
• http://www.openwall.com/lists/oss-security/2019/12/04/5
• http://www.openwall.com/lists/oss-security/2019/12/04/6
• https://seclists.org/bugtraq/2019/Dec/8
• https://www.openbsd.org/errata66.html
• https://www.openwall.com/lists/oss-security/2019/12/04/5