CVE-2020-4042

Name of the Vulnerable Software and Affected Versions Bareos versions prior to 19.2.8

Description The issue allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client-initiated connection and connects to the client itself. A malicious client can replay the Bareos director's cram-md5 challenge to the director itself, leading to the director responding to the replayed challenge. The response obtained is then a valid reply to the director's original challenge.

Recommendations For versions prior to 19.2.8, update to version 19.2.8 to resolve the issue. As a temporary workaround, consider restricting client-initiated connections to trusted clients or disabling the feature that allows the director to connect to clients itself until the update is applied.