CVE-2019-19522 - OpenCVE

OpenBSD 6.6, in a non-default configuration where S/Key or YubiKey authentication is enabled, allows local users to become root by leveraging membership in the auth group. This occurs because root's file can be written to /etc/skey or /var/db/yubikey, and need not be owned by root.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:L/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Openbsd	Openbsd

Configuration 1 [-]

cpe:2.3:o:openbsd:openbsd:6.6:*:*:*:*:*:*:*

References

Link	Resource
http://packetstormsecurity.com/files/155572/Qualys-Security-Advisory-OpenBSD-Authentication-Bypass-Privilege-Escalation.html	Third Party Advisory
http://seclists.org/fulldisclosure/2019/Dec/14	Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/12/04/5	Exploit Mailing List Third Party Advisory
https://seclists.org/bugtraq/2019/Dec/8	Exploit Mailing List Third Party Advisory
https://www.openbsd.org/errata66.html	Vendor Advisory
https://www.openwall.com/lists/oss-security/2019/12/04/5	Exploit Mailing List Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-12-04T23:33:05

Updated: 2019-12-06T21:06:08

Reserved: 2019-12-03T00:00:00

Link: CVE-2019-19522

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-12-05T00:15:11.497

Modified: 2020-08-24T17:37:01.140

Link: CVE-2019-19522

JSON object: View

Redhat Information

No data.

CWE

CWE-732

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "OpenBSD 6.6, in a non-default configuration where S/Key or YubiKey authentication is enabled, allows local users to become root by leveraging membership in the auth group. This occurs because root's file can be written to /etc/skey or /var/db/yubikey, and need not be owned by root."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-12-06T21:06:08", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.openwall.com/lists/oss-security/2019/12/04/5"}, {"tags": ["x_refsource_MISC"], "url": "https://www.openbsd.org/errata66.html"}, {"name": "[oss-security] 20191204 Authentication vulnerabilities in OpenBSD", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2019/12/04/5"}, {"name": "20191205 Authentication vulnerabilities in OpenBSD", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "https://seclists.org/bugtraq/2019/Dec/8"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/155572/Qualys-Security-Advisory-OpenBSD-Authentication-Bypass-Privilege-Escalation.html"}, {"name": "20191206 Authentication vulnerabilities in OpenBSD", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2019/Dec/14"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-19522", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "OpenBSD 6.6, in a non-default configuration where S/Key or YubiKey authentication is enabled, allows local users to become root by leveraging membership in the auth group. This occurs because root's file can be written to /etc/skey or /var/db/yubikey, and need not be owned by root."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.openwall.com/lists/oss-security/2019/12/04/5", "refsource": "MISC", "url": "https://www.openwall.com/lists/oss-security/2019/12/04/5"}, {"name": "https://www.openbsd.org/errata66.html", "refsource": "MISC", "url": "https://www.openbsd.org/errata66.html"}, {"name": "[oss-security] 20191204 Authentication vulnerabilities in OpenBSD", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2019/12/04/5"}, {"name": "20191205 Authentication vulnerabilities in OpenBSD", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Dec/8"}, {"name": "http://packetstormsecurity.com/files/155572/Qualys-Security-Advisory-OpenBSD-Authentication-Bypass-Privilege-Escalation.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/155572/Qualys-Security-Advisory-OpenBSD-Authentication-Bypass-Privilege-Escalation.html"}, {"name": "20191206 Authentication vulnerabilities in OpenBSD", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2019/Dec/14"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-19522", "datePublished": "2019-12-04T23:33:05", "dateReserved": "2019-12-03T00:00:00", "dateUpdated": "2019-12-06T21:06:08", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:openbsd:openbsd:6.6:*:*:*:*:*:*:*", "matchCriteriaId": "0E0CC007-1428-4683-A196-3544F1C9CC92", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "OpenBSD 6.6, in a non-default configuration where S/Key or YubiKey authentication is enabled, allows local users to become root by leveraging membership in the auth group. This occurs because root's file can be written to /etc/skey or /var/db/yubikey, and need not be owned by root."}, {"lang": "es", "value": "OpenBSD versi\u00f3n 6.6, en una configuraci\u00f3n no predeterminada donde la autenticaci\u00f3n S/Key o YubiKey est\u00e1 habilitada, permite a usuarios locales convertirse a root mediante el aprovechamiento de la membres\u00eda en el grupo de autenticaci\u00f3n. Esto ocurre porque el archivo root puede ser escrito en /etc/skey o /var/db/yubikey, y no es necesario que sea propiedad de root."}], "id": "CVE-2019-19522", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-12-05T00:15:11.497", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://packetstormsecurity.com/files/155572/Qualys-Security-Advisory-OpenBSD-Authentication-Bypass-Privilege-Escalation.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2019/Dec/14"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2019/12/04/5"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "https://seclists.org/bugtraq/2019/Dec/8"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.openbsd.org/errata66.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2019/12/04/5"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "nvd@nist.gov", "type": "Primary"}]}