CVE-2022-24755 in Bareosinfo

Summary

by MITRE • 03/15/2022

Bareos is open source software for backup, archiving, and recovery of data for operating systems. When Bareos Director >= 18.2 >= 18.2 but prior to 21.1.0, 20.0.6, and 19.2.12 is built and configured for PAM authentication, it will skip authorization checks completely. Expired accounts and accounts with expired passwords can still login. This problem will affect users that have PAM enabled. Currently there is no authorization (e.g. check for expired or disabled accounts), but only plain authentication (i.e. check if username and password match). Bareos Director versions 21.1.0, 20.0.6 and 19.2.12 implement the authorization check that was previously missing. The only workaround is to make sure that authentication fails if the user is not authorized.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 03/18/2022

The vulnerability identified as CVE-2022-24755 affects Bareos Director versions 18.2 and later up to but not including 21.1.0, 20.0.6, and 19.2.12 when configured with PAM authentication. This represents a critical authorization flaw that fundamentally undermines the security posture of backup systems relying on Bareos for data protection. The issue stems from a design flaw where the system performs only authentication checks without implementing proper authorization validation, creating a scenario where users can bypass account status verification mechanisms. Organizations using PAM-enabled Bareos Director installations face significant risks as this vulnerability allows unauthorized access through accounts that should be disabled or expired, effectively rendering account management controls useless.

The technical implementation of this vulnerability manifests as a failure in the authorization pipeline within the Bareos Director component. When PAM authentication is enabled, the system correctly validates username and password combinations but completely omits verification of account status including expiration dates, account disablement, or other access control policies. This creates a scenario where malicious actors or compromised legitimate accounts can maintain access even after their credentials should have been revoked or expired. The flaw essentially creates a bypass mechanism that allows authentication without proper authorization, which is a fundamental security principle violation. According to CWE-613, this vulnerability maps to insufficient session expiration or authorization checks, while from an ATT&CK perspective it aligns with T1566 (Phishing) and T1078 (Valid Accounts) where attackers exploit weak account validation mechanisms to maintain persistent access.

The operational impact of CVE-2022-24755 extends beyond simple unauthorized access to encompass potential data compromise and system integrity violations. Backup systems are often considered critical infrastructure components containing sensitive organizational data, and this vulnerability could enable attackers to access backup repositories, potentially leading to data exfiltration or manipulation. The lack of authorization checks means that even accounts with expired passwords or disabled access can continue to authenticate successfully, creating a persistent security risk. Organizations may experience unauthorized data recovery operations, modification of backup schedules, or complete access to backup archives that should be restricted. The vulnerability affects systems where PAM integration is configured, making it particularly concerning for enterprises that rely on centralized authentication mechanisms and account lifecycle management policies.

The remediation for CVE-2022-24755 requires updating Bareos Director installations to versions 21.1.0, 20.0.6, or 19.2.12, which include the proper authorization checks that were previously missing. Organizations should immediately assess their current Bareos Director deployments to identify affected versions and implement the necessary upgrades. The workaround mentioned in the vulnerability description, which involves ensuring authentication fails for unauthorized users, is not a practical long-term solution as it requires complex configuration changes and may not be feasible in all deployment scenarios. Security teams should also review existing access controls and account management policies to identify any accounts that may have exploited this vulnerability during the affected time period. The fix addresses the root cause by implementing proper authorization validation that checks account status during the authentication process, ensuring that expired or disabled accounts cannot authenticate successfully. This remediation aligns with security best practices for access control and follows the principle of least privilege by ensuring that authentication is tied to proper authorization validation. Organizations should also consider implementing additional monitoring and alerting mechanisms to detect unauthorized access attempts that might have occurred while this vulnerability was present.

Responsible

GitHub, Inc.

Reservation

02/10/2022

Disclosure

03/15/2022

Moderation

accepted

CPE

ready

EPSS

0.01996

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!