Authentication Vulnerabilities in OpenBSD, NetBSD 9.0 RC1 is available, Running FreeNAS on a DigitalOcean droplet, NomadBSD 1.3 is here, at e2k19 nobody can hear you scream, and more.
Headlines Authentication vulnerabilities in OpenBSDFrom the manual page of login.conf:
OpenBSD uses BSD Authentication, which is made up of a variety of authentication styles. The authentication styles currently provided are:
> passwd Request a password and check it against the password in the master.passwd file. See login_passwd(8).
> skey Send a challenge and request a response, checking it with S/Key (tm) authentication. See login_skey(8).
> yubikey Authenticate using a Yubico YubiKey token. See login_yubikey(8).
> For any given style, the program /usr/libexec/auth/login_style is used to
> perform the authentication. The synopsis of this program is:
This is the first piece of the puzzle: if an attacker specifies a username of the form "-option", they can influence the behavior of the authentication program in unexpected ways.
login_passwd [-s service] [-v wheel=yes|no] [-v lastchance=yes|no] user [class] The service argument specifies which protocol to use with the invoking program. The allowed protocols are login, challenge, and response. (The challenge protocol is silently ignored but will report success as passwd-style authentication is not challenge-response based).This is the second piece of the puzzle: if an attacker specifies the username "-schallenge" (or "-schallenge:passwd" to force a passwd-style authentication), then the authentication is automatically successful and therefore bypassed.
Case study: smtpd
Case study: ldapd
Case study: radiusd
Case study: sshd
Acknowledgments: We thank Theo de Raadt and the OpenBSD developers for their incredibly quick response: they published patches for these vulnerabilities less than 40 hours after our initial contact. We also thank MITRE's CVE Assignment Team.
Support for multiple keyboard layouts has been added.
www/palemoon has been removed.
mail/thunderbird has been removed.
audio/audacity has been added.
deskutils/orage has been added.
the password manager fpm2 has been replaced by KeePassXC
mail/sylpheed has been replaced by mail/claws-mail
multimedia/simplescreenrecorder has been added.
DSBMC has been changed to DSBMC-Qt
Many small improvements and bug fixes.
Your browser does not support the HTML5 video tag.
Special Guest: Mariusz Zaborski.