Impact
Bareos before 19.2.8 allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself.
The malicious client can replay the Bareos director's cram-md5 challenge to the director itself leading to the director responding to the replayed challenge. The response obtained is then a valid reply to the directors original challenge.
Patches
Bareos 19.2.8 fixes the issue by checking for a replay. All users that cannot implement the workaround should immediately upgrade to Bareos 19.2.8.
Workaround
To mitigate the problem, you must make sure that the director will not connect to a client that can initiate connections. As a matter of fact, when you enable client initiated connections you have to disable Connection From Director to Client (which defaults to "yes").
As a simple rule, every client with Connection From Client To Director = yes must also set Connection From Director To Client = no.
References
https://bugs.bareos.org/view.php?id=1250
If you have any questions or comments about this advisory:
Impact
Bareos before 19.2.8 allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself.
The malicious client can replay the Bareos director's cram-md5 challenge to the director itself leading to the director responding to the replayed challenge. The response obtained is then a valid reply to the directors original challenge.
Patches
Bareos 19.2.8 fixes the issue by checking for a replay. All users that cannot implement the workaround should immediately upgrade to Bareos 19.2.8.
Workaround
To mitigate the problem, you must make sure that the director will not connect to a client that can initiate connections. As a matter of fact, when you enable client initiated connections you have to disable
Connection From Director to Client(which defaults to "yes").As a simple rule, every client with
Connection From Client To Director = yesmust also setConnection From Director To Client = no.References
https://bugs.bareos.org/view.php?id=1250
If you have any questions or comments about this advisory: