OpenBSD Multiple Authentication Vulnerabilities

Animesh Jain

Last updated on: September 6, 2020

Multiple authentication vulnerabilities in OpenBSD have been disclosed by Qualys Research Labs. The vulnerabilities are assigned following CVEs: CVE-2019-19522, CVE-2019-19521, CVE-2019-19520, CVE-2019-19519. OpenBSD developers have confirmed the vulnerabilities and also provided a quick response with patches published in less than 40 hours.

Vulnerability Details

  • CVE-2019-19521 – An authentication-bypass vulnerability in OpenBSD’s authentication system: this vulnerability is remotely exploitable in smtpd, ldapd, and radiusd, but its real-world impact should be studied on a case-by-case basis. For example, sshd is not exploitable thanks to its defense-in-depth mechanisms.
  • CVE-2019-19520 – Local privilege escalation via “xlock” – On OpenBSD, /usr/X11R6/bin/xlock is installed by default and is set-group-ID “auth”, not set-user-ID; the following check is therefore incomplete and should use issetugid() instead.
  • CVE-2019-19522: Local privilege escalation via “S/Key” and “YubiKey” – If the S/Key or YubiKey authentication type is enabled (they are both installed by default but disabled), then a local attacker can exploit the privileges of the group “auth” to obtain the full privileges of the user “root”.
  • CVE-2019-19519: Local privilege escalation via “su” – A local attacker can exploit su’s -L option to log in as themselves but with another user’s login class.

For technical details on this vulnerability, please see our security advisory.

Detecting the Vulnerability

Qualys has issued QID 38774 for Qualys Vulnerability Management that covers authentication vulnerabilities in OpenBSD. This QID is included in signature version VULNSIGS-2.4.762-6.

QID 38774 – This detection includes both remote and authenticated checks:

  • Remote – This detection sends a specifically crafted payload over LDAP and SMTP services to authenticate using “-schallenge” remotely.
  • Authenticated (OpenBSD) – This executes “syspatch -l” command to check for the presence of patch applied on the system.

You can search for this new QID in AssetView or within the VM Dashboard by using the following QQL query:

vulnerabilities.vulnerability.(cveId:`CVE-2019-19519` OR cveId:`CVE-2019-19520` OR cveId:`CVE-2019-19521` OR cveId:`CVE-2019-19522`)

You can also create a Dashboard to track all OpenBSD Vulnerabilities as shown in the template below –

OpenBSD Dashboard


Qualys has also provided template information to create OpenBSD Vulnerabilities Dashboard leveraging data in Qualys Vulnerability Management subscription

Finding Vulnerable Hosts

The fastest way to locate vulnerable hosts is though the Qualys Threat Protection Live Feed as seen here:


To remediate this vulnerability, apply the latest patches for OpenBSD 6.5 and OpenBSD 6.6.
Qualys customers can scan their network with QID 38774 to detect vulnerable assets.

Show Comments (2)


Your email address will not be published. Required fields are marked *

  1. Hi Animesh, it’s strange. When I look in Threat Protect I see a number of assets linked to this, yet when I drill into those assets and click vulnerabilities, I don’t see the QID. Also, when performing an asset search, I get zero results too. Why might this be please? Thanks, Tony

    1. Hi Tony,
      Thanks for reaching out. When I performed the same query in Threat Protect, I was able to see vulnerability details on the asset. Please let us know, if this issue still persists. I can also share our lab results and screenshots for reference.