CVE-2020-4042

NameCVE-2020-4042
DescriptionBareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to the director itself leading to the director responding to the replayed challenge. The response obtained is then a valid reply to the directors original challenge. This is fixed in version 19.2.8.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs965985

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bareos (PTS)stretch16.2.4-3+deb9u2vulnerable
buster16.2.6-5vulnerable
sid17.2.7-2.1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
bareossource(unstable)(unfixed)965985

Notes

[stretch] - bareos <no-dsa> (minor issue, low priority)
https://github.com/bareos/bareos/security/advisories/GHSA-vqpj-2vhj-h752

Search for package or bug name: Reporting problems