OpenBSD has patched critical vulnerabilities which include privilege escalation flaw and remotely exploitable authentication bypass.
Unix operating system based on Berkeley Software Distribution (BSD) OpenBSD patched four vulnerabilities reported privately by the Qualys Research Labs. It took less than 40 hours to patch the vulnerabilities named as, CVE-2019-19522, CVE-2019-19521, CVE-2019-19520, and CVE-2019-19519.
Privilege escalation flaws and a remotely exploitable authentication bypass
CVE-2019-19521 was found in OpenBSD’s authentication protocol and it is an authentication bypass issue. It is possible to force the authentication system in the BSD authentication without a challenge if the attacker specifies a particular username. This flaw can be exploited remotely through smtpd, ldapd, and radiusd.
CVE-2019-19520 is a privilege escalation issue caused by a failed check in xlock. The attackers who have the local access to OpenBSD can obtain privileges of set-group-ID “auth” through xlock, which is installed by default.
CVE-2019-19522 is also a local privilege escalation problem discovered in S/key and YubiKey. The last vulnerability is named CVE-2019-19519 vulnerability was found in the Su function. With Su’s “-L” option, an attacker can try usernames and passwords until the login with a different login class.
Source: 1