Skip to content

Authentication bypass in director when allowing client and director initiated connections

Moderate
arogge published GHSA-vqpj-2vhj-h752 Jul 9, 2020

Package

bareos-common

Affected versions

<= 19.2.7

Patched versions

19.2.8

Description

Impact

Bareos before 19.2.8 allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself.

The malicious client can replay the Bareos director's cram-md5 challenge to the director itself leading to the director responding to the replayed challenge. The response obtained is then a valid reply to the directors original challenge.

Patches

Bareos 19.2.8 fixes the issue by checking for a replay. All users that cannot implement the workaround should immediately upgrade to Bareos 19.2.8.

Workaround

To mitigate the problem, you must make sure that the director will not connect to a client that can initiate connections. As a matter of fact, when you enable client initiated connections you have to disable Connection From Director to Client (which defaults to "yes").

As a simple rule, every client with Connection From Client To Director = yes must also set Connection From Director To Client = no.

References

https://bugs.bareos.org/view.php?id=1250

If you have any questions or comments about this advisory:

Severity

Moderate

CVE ID

CVE-2020-4042

Weaknesses

No CWEs

Credits