CVE-2019-19521

Name of the Vulnerable Software and Affected Versions OpenBSD version 6.6

Description The issue allows authentication bypass via the username variable, as demonstrated by smtpd, ldapd, or radiusd. This is related to gen/auth subr.c and gen/authenticate.c in libc, as well as login/login.c and xenocara/app/xenodm/greeter/verify.c. The authentication bypass is remotely exploitable.

Recommendations For OpenBSD version 6.6, consider temporarily disabling the authentication mechanism that uses the username variable until a patch is available. Restrict access to the affected services, such as smtpd, ldapd, or radiusd, to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.