CVE-2020-4042

NameCVE-2020-4042
DescriptionBareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to the director itself leading to the director responding to the replayed challenge. The response obtained is then a valid reply to the directors original challenge. This is fixed in version 19.2.8.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs965985

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bareos (PTS)jessie14.2.1+20141017gitc6c5b56-3+deb8u3vulnerable
stretch16.2.4-3+deb9u2vulnerable
buster16.2.6-5vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bareossourcejessie(unfixed)end-of-life
bareossource(unstable)(unfixed)965985

Notes

[buster] - bareos <ignored> (Minor issue; workaround exists; intrusive to backport to older versions)
[stretch] - bareos <no-dsa> (minor issue, low priority)
https://github.com/bareos/bareos/security/advisories/GHSA-vqpj-2vhj-h752
https://bugs.bareos.org/view.php?id=1250
https://github.com/bareos/bareos/commit/93f2db6451a684fbb224a7d24cdd85e77b2b51fc (master)
Workaround: Make sure the director will not connect to a client that can
initiate connections. As a rule: every client with "Connection From Client
To Director = yes" must also set "Connection From Director To Client = no".

Search for package or bug name: Reporting problems