| Name | CVE-2020-4042 |
| Description | Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to the director itself leading to the director responding to the replayed challenge. The response obtained is then a valid reply to the directors original challenge. This is fixed in version 19.2.8. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 965985 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| bareos (PTS) | jessie | 14.2.1+20141017gitc6c5b56-3+deb8u3 | vulnerable |
| stretch | 16.2.4-3+deb9u2 | vulnerable |
| buster | 16.2.6-5 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| bareos | source | jessie | (unfixed) | end-of-life | | |
| bareos | source | (unstable) | (unfixed) | | | 965985 |
Notes
[buster] - bareos <ignored> (Minor issue; workaround exists; intrusive to backport to older versions)
[stretch] - bareos <no-dsa> (minor issue, low priority)
https://github.com/bareos/bareos/security/advisories/GHSA-vqpj-2vhj-h752
https://bugs.bareos.org/view.php?id=1250
https://github.com/bareos/bareos/commit/93f2db6451a684fbb224a7d24cdd85e77b2b51fc (master)
Workaround: Make sure the director will not connect to a client that can
initiate connections. As a rule: every client with "Connection From Client
To Director = yes" must also set "Connection From Director To Client = no".