Arogge

**Name of the Vulnerable Software and Affected Versions** Bareos Director versions 18.2 through 21.1.0, excluding versions 21.1.0, 20.0.6, and 19.2.12 Bareos Director versions prior to 19.2.12, excluding version 19.2.12 Bareos Director versions prior to 20.0.6, excluding version 20.0.6 Bareos Director versions prior to 21.1.0, excluding version 21.1.0 However, the above can be simplified to: Bareos Director versions 18.2 through 20.0.5 Bareos Director versions 18.2 through 19.2.11 **Description** The issue affects Bareos Director when built and configured for PAM authentication, allowing expired accounts and accounts with expired passwords to login due to skipped authorization checks. This problem affects users with PAM enabled, as only plain authentication is performed, checking if the `username` and `password` match, without verifying if the account is expired or disabled. **Recommendations** For Bareos Director versions 18.2 through 20.0.5, update to version 20.0.6 or later. For Bareos Director versions 18.2 through 19.2.11, update to version 19.2.12 or later. For Bareos Director versions prior to 21.1.0, update to version 21.1.0 or later. As a temporary workaround, ensure that authentication fails if the user is not authorized.

**Name of the Vulnerable Software and Affected Versions** Bareos Director versions 18.2 through 21.1.0 (excluding 21.1.0), 20.0.6 (excluding 20.0.6), and 19.2.12 (excluding 19.2.12) Bareos Director versions prior to 19.2.12 Bareos Director versions prior to 20.0.6 Bareos Director versions prior to 21.1.0 **Description** Bareos is open source software for backup, archiving, and recovery of data for operating systems. When Bareos Director is built and configured for PAM authentication, a failed PAM authentication will leak a small amount of memory. An attacker that is able to use the PAM Console can flood the Director with failing login attempts which will eventually lead to an out-of-memory condition in which the Director will not work anymore. **Recommendations** For Bareos Director versions prior to 19.2.12, upgrade to version 19.2.12 or later. For Bareos Director versions prior to 20.0.6, upgrade to version 20.0.6 or later. For Bareos Director versions prior to 21.1.0, upgrade to version 21.1.0 or later. As a temporary workaround, consider disabling PAM authentication until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Bareos Director versions prior to 16.2.11 Bareos Director versions prior to 17.2.10 Bareos Director versions prior to 18.2.9 Bareos Director versions prior to 19.2.8 **Description** A heap overflow in the Bareos Director allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. **Recommendations** For Bareos Director version 16.2.10 and earlier, update to version 16.2.11 or later. For Bareos Director version 17.2.9, update to version 17.2.10 or later. For Bareos Director version 18.2.8, update to version 18.2.9 or later. For Bareos Director version 19.2.7, update to version 19.2.8 or later. As a temporary workaround, consider disabling verify jobs until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Bareos versions prior to 19.2.8 **Description** The issue allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client-initiated connection and connects to the client itself. A malicious client can replay the Bareos director's cram-md5 challenge to the director itself, leading to the director responding to the replayed challenge. The response obtained is then a valid reply to the director's original challenge. **Recommendations** For versions prior to 19.2.8, update to version 19.2.8 to resolve the issue. As a temporary workaround, consider restricting client-initiated connections to trusted clients or disabling the feature that allows the director to connect to clients itself until the update is applied.