CVE-2017-14610

Name of the Vulnerable Software and Affected Versions Bareos versions prior to 16.2.7

Description The issue allows local users to potentially kill arbitrary processes by modifying the PID file, which is created after dropping privileges to a non-root account. This can be exploited when a root script executes a command like "kill cat /pathname", where /pathname is the path to the PID file.

Recommendations For versions prior to 16.2.7, consider restricting access to the PID file to prevent modification by non-root accounts until a fix is applied. As a temporary workaround, avoid using commands that execute a "kill cat /pathname" command on the PID file created by bareos-dir, bareos-fd, and bareos-sd in bareos-core.