CVE-2019-15900 – CVE-2019-15900 is a privilege escalation vulner... (How to Fix)

Q: What is the severity of CVE-2019-15900?

CVE-2019-15900 has a CVSS score of 9.8 (CRITICAL). CVE-2019-15900 is a privilege escalation vulnerability in slicer69 doas (a sudo alternative) on non-OpenBSD platforms. When parsing usernames or group names, uninitialized variable checking allows authentication bypass, potentially executing commands as root instead of failing. This affects doas versions before 6.2 on Linux and other platforms lacking strtonum(3).

📋 TL;DR

CVE-2019-15900 is a privilege escalation vulnerability in slicer69 doas (a sudo alternative) on non-OpenBSD platforms. When parsing usernames or group names, uninitialized variable checking allows authentication bypass, potentially executing commands as root instead of failing. This affects doas versions before 6.2 on Linux and other platforms lacking strtonum(3).

💻 Affected Systems

Products:

slicer69 doas

Versions: All versions before 6.2

Operating Systems: Linux and other non-OpenBSD platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects platforms without strtonum(3) function. OpenBSD systems are not vulnerable.

📦 What is this software?

Doas by Doas Project

View all CVEs affecting Doas →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthenticated local attacker gains full root privileges on affected systems, enabling complete system compromise.

🟠

Likely Case

Local users with doas access can escalate privileges to root by exploiting username/group parsing failures.

🟢

If Mitigated

With proper patching, authentication failures are correctly handled and privilege escalation is prevented.

🌐 Internet-Facing: LOW - This is primarily a local privilege escalation vulnerability requiring local access.

🏢 Internal Only: HIGH - Any system with doas installed and vulnerable versions presents significant internal risk for privilege escalation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access and knowledge of non-existent usernames/groups to trigger the parsing failure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.2

Vendor Advisory: https://github.com/slicer69/doas/commit/2f83222829448e5bc4c9391d607ec265a1e06531

Restart Required: No

Instructions:

1. Update doas to version 6.2 or later. 2. For source installations: git clone, checkout 6.2+, compile and install. 3. For package managers: Use distribution-specific update commands.

🔧 Temporary Workarounds

Remove doas

linux

Uninstall doas if not required, using sudo or other alternatives instead.

apt remove doas
yum remove doas
pacman -R doas

Restrict doas usage

all

Limit doas configuration to specific trusted users only.

Edit /etc/doas.conf to restrict permissions

🧯 If You Can't Patch

Remove doas binary or restrict execute permissions to root only
Implement strict monitoring of doas usage and authentication failures

🔍 How to Verify

Check if Vulnerable:

Check doas version: doas -v | grep 'doas version' and compare to 6.2. Also check platform: uname -a for non-OpenBSD systems.

Check Version:

doas -v

Verify Fix Applied:

Verify doas version is 6.2 or higher: doas -v should show version >= 6.2.

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts with non-existent usernames/groups followed by successful root command execution
Unexpected root privilege usage via doas

Network Indicators:

N/A - local privilege escalation

SIEM Query:

Search for: (process.name="doas" AND event.outcome="success" AND user.name!="root") OR (process.name="doas" AND user.name="root" AND parent.user.name!="root")

📊 Metadata

CVE ID: CVE-2019-15900

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-252

Published: October 18, 2019

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-15900, you might also want to check these: