View Issue Details

IDProjectCategoryView StatusLast Update
0001250bareos-core[All Projects] Generalpublic2020-07-09 22:46
ReporteraroggeAssigned Tofranku 
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version 
Fixed in Version19.2.9 
Summary0001250: Authentication bypass in Director when allowing client and director initiated connections
DescriptionBareos allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself.
The malicious client can replay the Bareos director's cram-md5 challenge to the director itself leading to the director responding to the replayed challenge. The response obtained is then a valid reply to the directors original challenge.
Additional InformationSee also: https://github.com/bareos/bareos/security/advisories/GHSA-vqpj-2vhj-h752
TagsNo tags attached.
bareos-master: impactyes
bareos-master: actionfixed
bareos-19.2: impactyes
bareos-19.2: actionfixed
bareos-18.2: impactyes
bareos-18.2: actionnone
bareos-17.2: impactyes
bareos-17.2: actionnone
bareos-16.2: impactyes
bareos-16.2: actionnone
bareos-15.2: impact
bareos-15.2: action
bareos-14.2: impact
bareos-14.2: action
bareos-13.2: impact
bareos-13.2: action
bareos-12.4: impact
bareos-12.4: action

Relationships

related to 0001230 closedarogge Release Bareos 19.2.8 

Activities

franku

franku

2020-07-01 14:22

administrator   ~0004017

Fix committed to bareos master branch with changesetid 13503.
franku

franku

2020-07-01 15:22

administrator   ~0004018

Fix committed to bareos bareos-19.2 branch with changesetid 13522.

Related Changesets

bareos: master 93f2db64

2020-06-07 17:32:37

franku

Ported: N/A

Details Diff
cram-md5: do not accept challenge if own resource name is used

Fixes 0001250: Authentication bypass in Director

use the unified-resource-name for the cram challenge
i.e. auth cram-md5 <1001326377.1591525437@R_CLIENT::backup-bareos-test-fd>
Affected Issues
0001250
mod - core/src/lib/cram_md5.cc Diff File
mod - core/src/lib/cram_md5.h Diff File
mod - core/src/lib/util.cc Diff File
mod - core/src/lib/util.h Diff File
mod - core/src/tests/bsock_test_connection_setup.cc Diff File

bareos: bareos-19.2 27ed33ed

2020-06-07 17:32:37

franku

Ported: N/A

Details Diff
cram-md5: do not accept challenge if own resource name is used

Fixes 0001250: Authentication bypass in Director

use the unified-resource-name for the cram challenge
i.e. auth cram-md5 <1001326377.1591525437@R_CLIENT::backup-bareos-test-fd>
Affected Issues
0001250
mod - core/src/lib/cram_md5.cc Diff File
mod - core/src/lib/cram_md5.h Diff File
mod - core/src/lib/util.cc Diff File
mod - core/src/lib/util.h Diff File
mod - core/src/tests/bsock_test_connection_setup.cc Diff File

Issue History

Date Modified Username Field Change
2020-06-09 15:47 arogge New Issue
2020-06-09 17:33 arogge Assigned To => franku
2020-06-09 17:33 arogge Status new => assigned
2020-06-09 17:33 arogge Status assigned => confirmed
2020-07-01 14:22 franku Changeset attached => bareos master 93f2db64
2020-07-01 14:22 franku Note Added: 0004017
2020-07-01 14:22 franku Status confirmed => resolved
2020-07-01 14:22 franku Resolution open => fixed
2020-07-01 15:22 franku Changeset attached => bareos bareos-19.2 27ed33ed
2020-07-01 15:22 franku Note Added: 0004018
2020-07-08 11:21 arogge Relationship added related to 0001230
2020-07-09 22:45 arogge Status resolved => new
2020-07-09 22:45 arogge Resolution fixed => reopened
2020-07-09 22:46 arogge Status new => closed
2020-07-09 22:46 arogge Resolution reopened => fixed
2020-07-09 22:46 arogge Fixed in Version => 19.2.9
2020-07-09 22:46 arogge View Status private => public
2020-07-09 22:46 arogge bareos-master: impact => yes
2020-07-09 22:46 arogge bareos-master: action => fixed
2020-07-09 22:46 arogge bareos-19.2: impact => yes
2020-07-09 22:46 arogge bareos-19.2: action => fixed
2020-07-09 22:46 arogge bareos-18.2: impact => yes
2020-07-09 22:46 arogge bareos-18.2: action => none
2020-07-09 22:46 arogge bareos-17.2: impact => yes
2020-07-09 22:46 arogge bareos-17.2: action => none
2020-07-09 22:46 arogge bareos-16.2: impact => yes
2020-07-09 22:46 arogge bareos-16.2: action => none