Vulnerability Description
libc in OpenBSD 6.6 allows authentication bypass via the -schallenge username, as demonstrated by smtpd, ldapd, or radiusd. This is related to gen/auth_subr.c and gen/authenticate.c in libc (and login/login.c and xenocara/app/xenodm/greeter/verify.c).
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Openbsd | Openbsd | 6.6 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/155572/Qualys-Security-Advisory-OpenBSD-AutThird Party Advisory
- http://seclists.org/fulldisclosure/2019/Dec/14Third Party Advisory
- http://www.openwall.com/lists/oss-security/2019/12/04/5ExploitMailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2019/12/04/6Mailing List
- https://seclists.org/bugtraq/2019/Dec/8ExploitMailing ListThird Party Advisory
- https://www.openbsd.org/errata66.htmlVendor Advisory
- https://www.openwall.com/lists/oss-security/2019/12/04/5ExploitMailing ListThird Party Advisory
- http://packetstormsecurity.com/files/155572/Qualys-Security-Advisory-OpenBSD-AutThird Party Advisory
- http://seclists.org/fulldisclosure/2019/Dec/14Third Party Advisory
- http://www.openwall.com/lists/oss-security/2019/12/04/5ExploitMailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2019/12/04/6Mailing List
- https://seclists.org/bugtraq/2019/Dec/8ExploitMailing ListThird Party Advisory
- https://www.openbsd.org/errata66.htmlVendor Advisory
- https://www.openwall.com/lists/oss-security/2019/12/04/5ExploitMailing ListThird Party Advisory
FAQ
What is CVE-2019-19521?
CVE-2019-19521 is a vulnerability with a CVSS score of 9.8 (CRITICAL). libc in OpenBSD 6.6 allows authentication bypass via the -schallenge username, as demonstrated by smtpd, ldapd, or radiusd. This is related to gen/auth_subr.c and gen/authenticate.c in libc (and login...
How severe is CVE-2019-19521?
CVE-2019-19521 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-19521?
Check the references section above for vendor advisories and patch information. Affected products include: Openbsd Openbsd.