DescriptionBareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to the director itself leading to the director responding to the replayed challenge. The response obtained is then a valid reply to the directors original challenge. This is fixed in version 19.2.8.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium
Debian Bugs965985

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
bareos (PTS)stretch16.2.4-3+deb9u2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs


[buster] - bareos <ignored> (Minor issue; workaround exists; intrusive to backport to older versions)
[stretch] - bareos <no-dsa> (minor issue, low priority) (master)
Workaround: Make sure the director will not connect to a client that can
initiate connections. As a rule: every client with "Connection From Client
To Director = yes" must also set "Connection From Director To Client = no".

Search for package or bug name: Reporting problems