0001210: Security vulnerability results in heap overflow in director when doing a Verify job against a file daemon.

ID	Project	Category	View Status	Date Submitted	Last Update

0001210	bareos-core	director	public	2020-03-13 07:58	2020-11-30 15:47

Reporter	phasip	Assigned To	arogge
Priority	immediate	Severity	block	Reproducibility	always
Status	closed	Resolution	fixed
Platform	Linux	OS	CentOS	OS Version	7
Product Version	18.2.7

Summary	0001210: Security vulnerability results in heap overflow in director when doing a Verify job against a file daemon.
Description	Line 1119 in https://github.com/bareos/bareos/blob/master/core/src/dird/fd_cmds.cc allows a malicious file daemon to overflow the directors heap by sending a Digest longer than 512 bytes. This is likely usable to gain remote control over the director from a client. In other places such issues have been avoided by resizing buffers to be at least fd->message_length long.
Steps To Reproduce	Run a Verify job with level InitCatalog against a malicious file daemon that sends arbitrary length Digests. Crash will ocurr in deamon when the connection is closed.
Additional Information	This issue likely affects Bacula too so be sure to coordinate disclosure. Will update this issue with information about the Bacula report.
Tags	No tags attached.

arogge 2020-03-20 11:32 manager ~0003897	You're right. This is an obvious heap-overflow.

arogge 2020-04-29 12:30 manager ~0003973	do you have any news on the Bacula bug report? I have a fix prepared, so we could release and then disclose the issue. Right now everything is on hold as I'm awaiting a date for coordinated disclosure. We're also happy to give credits, so please tell me what name (and maybe contact information) we should use.

phasip 2020-04-29 12:46 reporter ~0003974 Last edited: 2020-04-29 12:48	Unfortunately I have not been able to reach the Bacula team at all. I am not sure if the project is completely dead. Maybe you guys have some contact with them? Please use my name: Pasi Saarinen & my company email: pasi.saarinen@f-secure.com, please make sure to get a CVE number for this.

arogge 2020-04-29 13:59 manager ~0003975	There were major disagreements in the past, so we don't have any contact to the Bacula team anymore. What methods of contacting did you already try? If I can think of any other way, I would give it a short.

phasip 2020-04-29 15:19 reporter ~0003976	The relation between bacula.org and baculasystems.com seems unclear to me, however I have now managed to report this to baculasystems.com through their accounting department.

phasip 2020-04-29 15:47 reporter ~0003977	Update: Response from Eric Bollengier Hello Pasi, Thanks for your notice, we will publish a patch in the git repository for this issue and send a notice to Kern. Best Regards, Eric

arogge 2020-05-05 14:32 manager ~0003982	I've seen the fixes in the bacula git, so I guess we're good to go then...

arogge 2020-06-09 16:00 manager ~0004004	We have a CVE-Number assigned now: CVE-2020-11061

arogge 2020-06-09 16:01 manager ~0004005	Is https://github.com/Phasip your github and are you OK if I credit you in the CVE?

phasip 2020-06-10 11:53 reporter ~0004006	Great! Yes I am OK with getting credit and that is my github!

arogge 2020-07-09 10:22 manager ~0004025	Fix committed to bareos bareos-19.2 branch with changesetid 13530.

arogge 2020-07-09 13:22 manager ~0004026	Fix committed to bareos bareos-17.2 branch with changesetid 13531.

bareos: master 86c6fa47 2020-04-29 14:20 arogge Ported: N/A Details Diff	dir: avoid heap-overflow during verify job Fixes 0001210: Security vulnerability results in heap overflow in director when doing a Verify job against a file daemon. Previously the code did not check that the target buffer that scanf() wrote into was big enough to fit the data. This patch now resizes the buffer to the size of the message buffer that is being parsed ensuring that there is no heap overflow anymore.	Affected Issues 0001210
	mod - core/src/dird/fd_cmds.cc	Diff File
bareos: bareos-17.2 d41779a0 2020-04-29 14:20 arogge Ported: N/A Details Diff	dir: avoid heap-overflow during verify job Fixes 0001210: Security vulnerability results in heap overflow in director when doing a Verify job against a file daemon. Previously the code did not check that the target buffer that scanf() wrote into was big enough to fit the data. This patch now resizes the buffer to the size of the message buffer that is being parsed ensuring that there is no heap overflow anymore. (backport of 86c6fa479a21a1464366babb74e6cf33770ed7ae)	Affected Issues 0001210
	mod - src/dird/fd_cmds.c	Diff File
bareos: bareos-18.2 66c3f31f 2020-04-29 14:20 arogge Ported: N/A Details Diff	dir: avoid heap-overflow during verify job Fixes 0001210: Security vulnerability results in heap overflow in director when doing a Verify job against a file daemon. Previously the code did not check that the target buffer that scanf() wrote into was big enough to fit the data. This patch now resizes the buffer to the size of the message buffer that is being parsed ensuring that there is no heap overflow anymore. (backport of 86c6fa479a21a1464366babb74e6cf33770ed7ae)	Affected Issues 0001210
	mod - core/src/dird/fd_cmds.cc	Diff File
bareos: bareos-19.2 1faaffa4 2020-04-29 14:20 arogge Ported: N/A Details Diff	dir: avoid heap-overflow during verify job Fixes 0001210: Security vulnerability results in heap overflow in director when doing a Verify job against a file daemon. Previously the code did not check that the target buffer that scanf() wrote into was big enough to fit the data. This patch now resizes the buffer to the size of the message buffer that is being parsed ensuring that there is no heap overflow anymore. (cherry picked from commit 86c6fa479a21a1464366babb74e6cf33770ed7ae)	Affected Issues 0001210
	mod - core/src/dird/fd_cmds.cc	Diff File
bareos: bareos-17.2 916b63c7 2020-04-29 14:20 arogge Ported: N/A Details Diff	dir: avoid heap-overflow during verify job Fixes 0001210: Security vulnerability results in heap overflow in director when doing a Verify job against a file daemon. Previously the code did not check that the target buffer that scanf() wrote into was big enough to fit the data. This patch now resizes the buffer to the size of the message buffer that is being parsed ensuring that there is no heap overflow anymore. (backport of 86c6fa479a21a1464366babb74e6cf33770ed7ae)	Affected Issues 0001210
	mod - src/dird/fd_cmds.c	Diff File

Date Modified	Username	Field	Change
2020-03-13 07:58	phasip	New Issue
2020-03-20 11:32	arogge	Status	new => confirmed
2020-03-20 11:32	arogge	Note Added: 0003897
2020-04-28 11:36	arogge	Assigned To	=> arogge
2020-04-28 11:36	arogge	Status	confirmed => assigned
2020-04-29 12:30	arogge	Status	assigned => feedback
2020-04-29 12:30	arogge	Note Added: 0003973
2020-04-29 12:46	phasip	Note Added: 0003974
2020-04-29 12:46	phasip	Status	feedback => assigned
2020-04-29 12:48	phasip	Note Edited: 0003974
2020-04-29 13:59	arogge	Note Added: 0003975
2020-04-29 15:19	phasip	Note Added: 0003976
2020-04-29 15:47	phasip	Note Added: 0003977
2020-05-05 14:32	arogge	Note Added: 0003982
2020-06-09 16:00	arogge	Note Added: 0004004
2020-06-09 16:01	arogge	Note Added: 0004005
2020-06-10 11:53	phasip	Note Added: 0004006
2020-07-08 11:21	arogge	Relationship added	related to 0001230
2020-07-08 11:22	arogge	Relationship added	related to 0001225
2020-07-08 11:22	arogge	Relationship added	related to 0001226
2020-07-09 10:22	arogge	Changeset attached	=> bareos master 86c6fa47
2020-07-09 10:22	arogge	Changeset attached	=> bareos bareos-17.2 d41779a0
2020-07-09 10:22	arogge	Changeset attached	=> bareos bareos-18.2 66c3f31f
2020-07-09 10:22	arogge	Changeset attached	=> bareos bareos-19.2 1faaffa4
2020-07-09 10:22	arogge	Note Added: 0004025
2020-07-09 10:22	arogge	Status	assigned => resolved
2020-07-09 10:22	arogge	Resolution	open => fixed
2020-07-09 13:22	arogge	Changeset attached	=> bareos bareos-17.2 916b63c7
2020-07-09 13:22	arogge	Note Added: 0004026
2020-07-09 22:44	arogge	Status	resolved => new
2020-07-09 22:44	arogge	Resolution	fixed => reopened
2020-07-09 22:45	arogge	Status	new => closed
2020-07-09 22:45	arogge	Resolution	reopened => fixed
2020-07-09 22:45	arogge	View Status	private => public
2020-11-30 15:47	arogge	Relationship added	related to 0001282

Reporting new Issues is disabled, please Report new Issues at https://github.com/bareos/bareos/issues

View Issue Details

Relationships

Activities

Related Changesets

Issue History

related to	0001230	closed	arogge	Release Bareos 19.2.8
related to	0001225	closed	arogge	Release Bareos 17.2.10
related to	0001226	closed	arogge	Release Bareos 18.2.9
related to	0001282	closed	arogge	Release Bareos 20.0.0