Privilege Escalation Vulnerability in OpenBSD xlock Component
CVE-2019-19520

7.8HIGH

Key Information:

Vendor

OpenBSD
Status
OpenBSD
Vendor
CVE Published:
5 December 2019

Badges

👾 Exploit Exists

What is CVE-2019-19520?

The xlock utility in OpenBSD 6.6 contains a vulnerability that allows local users to escalate their privileges. This flaw arises from improper handling of the LIBGL_DRIVERS_PATH environment variable within the xenocara/lib/mesa/src/loader/loader.c file, specifically during the dynamic loading process using dlopen. By manipulating this environment variable, a local user can gain unauthorized access to functions or permissions restricted to the auth group, posing a significant security risk to affected systems.

References

https://www.openwall.com/lists/oss-security/2019/12/04/5
x_refsource_MISC
https://www.openbsd.org/errata66.html
x_refsource_MISC
http://www.openwall.com/lists/oss-security/2019/12/04/6
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.