CVE-2020-26142
https://notcve.org/view.php?id=CVE-2020-26142
An issue was discovered in the kernel in OpenBSD 6.6. The WEP, WPA, WPA2, and WPA3 implementations treat fragmented frames as full frames. An adversary can abuse this to inject arbitrary network packets, independent of the network configuration. Se detectó un problema en el kernel en OpenBSD versión 6.6. Las implementaciones WEP, WPA, WPA2 y WPA3 tratan las tramas fragmentadas como tramas completas. • http://www.openwall.com/lists/oss-security/2021/05/11/12 https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63 https://www.fragattacks.com • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2020-16088
https://notcve.org/view.php?id=CVE-2020-16088
iked in OpenIKED, as used in OpenBSD through 6.7, allows authentication bypass because ca.c has the wrong logic for checking whether a public key matches. iked en OpenIKED, como es usado en OpenBSD versiones hasta 6.7, permite omitir una autenticación porque el archivo ca.c presenta una lógica equivocada para comprobar si una clave pública coincide • https://ftp.openbsd.org/pub/OpenBSD/patches/6.7/common/014_iked.patch.sig https://github.com/openbsd/src/commit/7afb2d41c6d373cf965285840b85c45011357115 https://github.com/xcllnt/openiked/commits/master https://www.openiked.org/security.html • CWE-287: Improper Authentication •
CVE-2019-19726 – OpenBSD 6.x - Dynamic Loader Privilege Escalation
https://notcve.org/view.php?id=CVE-2019-19726
OpenBSD through 6.6 allows local users to escalate to root because a check for LD_LIBRARY_PATH in setuid programs can be defeated by setting a very small RLIMIT_DATA resource limit. When executing chpass or passwd (which are setuid root), _dl_setup_env in ld.so tries to strip LD_LIBRARY_PATH from the environment, but fails when it cannot allocate memory. Thus, the attacker is able to execute their own library code as root. OpenBSD versiones hasta 6.6, permite a usuarios locales escalar a root porque una comprobación de LD_LIBRARY_PATH en los programas setuid puede ser vencida estableciendo un límite de recursos de RLIMIT_DATA muy pequeño. Al ejecutar chpass o passwd (que son root de setuid), en la función _dl_setup_env en el archivo ld.so intenta eliminar LD_LIBRARY_PATH del entorno, pero presenta un fallo cuando no puede asignar memoria. • https://www.exploit-db.com/exploits/47780 https://www.exploit-db.com/exploits/47803 http://packetstormsecurity.com/files/155658/Qualys-Security-Advisory-OpenBSD-Dynamic-Loader-Privilege-Escalation.html http://packetstormsecurity.com/files/155764/OpenBSD-Dynamic-Loader-chpass-Privilege-Escalation.html http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.html http://seclists.org/fulldisclosure/2019/Dec/31 http://seclists.org/fulldisclosure/2023/Oct/11 http://www.openwall.com/lists/ • CWE-269: Improper Privilege Management •
CVE-2019-14899
https://notcve.org/view.php?id=CVE-2019-14899
A vulnerability was discovered in Linux, FreeBSD, OpenBSD, MacOS, iOS, and Android that allows a malicious access point, or an adjacent user, to determine if a connected user is using a VPN, make positive inferences about the websites they are visiting, and determine the correct sequence and acknowledgement numbers in use, allowing the bad actor to inject data into the TCP stream. This provides everything that is needed for an attacker to hijack active connections inside the VPN tunnel. Se detectó una vulnerabilidad en Linux, FreeBSD, OpenBSD, MacOS, iOS y Android, que permite a un punto de acceso malicioso, o un usuario adyacente, determinar si un usuario conectado está utilizando una VPN, hacer inferencias positivas sobre los sitios web que está visitando, y determinar la secuencia correcta y los números de reconocimiento en uso, permitiendo al actor malo inyectar datos en la secuencia TCP. Esto proporciona todo lo necesario para que un atacante secuestre conexiones activas dentro del túnel VPN. • http://seclists.org/fulldisclosure/2020/Dec/32 http://seclists.org/fulldisclosure/2020/Jul/23 http://seclists.org/fulldisclosure/2020/Jul/24 http://seclists.org/fulldisclosure/2020/Jul/25 http://seclists.org/fulldisclosure/2020/Nov/20 http://www.openwall.com/lists/oss-security/2020/08/13/2 http://www.openwall.com/lists/oss-security/2020/10/07/3 http://www.openwall.com/lists/oss-security/2021/07/05/1 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-148 • CWE-300: Channel Accessible by Non-Endpoint •
CVE-2012-1577
https://notcve.org/view.php?id=CVE-2012-1577
lib/libc/stdlib/random.c in OpenBSD returns 0 when seeded with 0. El archivo lib/libc/stdlib/random.c en OpenBSD devuelve 0 cuando es sembrado con 0. • http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/random.c#rev1.16 http://www.openwall.com/lists/oss-security/2012/03/23/14 https://github.com/ensc/dietlibc/blob/master/CHANGES https://security-tracker.debian.org/tracker/CVE-2012-1577 • CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) •