CVE-2022-24756
📋 TL;DR
CVE-2022-24756 is a memory leak vulnerability in Bareos Director when using PAM authentication, allowing attackers with access to the PAM Console (via shared secret or WebUI) to cause denial of service through repeated failed login attempts, leading to out-of-memory conditions. It affects Bareos Director versions 18.2 to 21.1.0, 20.0.6, and 19.2.12, specifically when PAM authentication is enabled. Users with PAM-configured systems are at risk if attackers can exploit this to disrupt backup operations.
💻 Affected Systems
- Bareos Director
📦 What is this software?
Bareos by Bareos
Bareos by Bareos
Bareos by Bareos
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service where the Bareos Director becomes unresponsive due to memory exhaustion, halting all backup, archiving, and recovery operations until the service is restarted or memory is freed.
Likely Case
Degraded performance or temporary service disruption from memory leaks under attack, potentially causing backup failures or delays in data recovery processes.
If Mitigated
Minimal impact if PAM authentication is disabled or systems are patched, with no memory leaks and normal operation maintained.
🎯 Exploit Status
Exploitation requires authentication via shared secret or WebUI access; once authenticated, attackers can easily flood login attempts to trigger the memory leak.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 21.1.0, 20.0.6, 19.2.12
Vendor Advisory: https://github.com/bareos/bareos/security/advisories/GHSA-jh55-4wgw-xc9j
Restart Required: Yes
Instructions:
1. Identify your Bareos Director version using 'bareos-dir --version'. 2. Upgrade to a fixed version: for 21.x, upgrade to 21.1.0; for 20.x, upgrade to 20.0.6; for 19.x, upgrade to 19.2.12. 3. Restart the Bareos Director service after upgrade to apply the patch.
🔧 Temporary Workarounds
Disable PAM Authentication
linuxDisable PAM authentication in the Bareos Director configuration to prevent exploitation of the memory leak vulnerability.
Edit the Bareos Director configuration file (e.g., /etc/bareos/bareos-dir.conf) and remove or comment out PAM authentication settings, then restart the service.
🧯 If You Can't Patch
- Disable PAM authentication as a temporary measure to eliminate the vulnerability until patching is possible.
- Implement network access controls to restrict access to the Bareos Director and PAM Console, reducing exposure to potential attackers.
🔍 How to Verify
Check if Vulnerable:
Check if Bareos Director version is between 18.2 and the fixed versions, and verify PAM authentication is enabled in the configuration.Check Version:
bareos-dir --versionVerify Fix Applied:
After patching, confirm the version is 21.1.0, 20.0.6, or 19.2.12, and test PAM authentication to ensure no memory leaks occur under failed login attempts.📡 Detection & Monitoring
Log Indicators:
- Repeated failed PAM authentication attempts in Bareos Director logs, unusual memory usage spikes, or out-of-memory errors in system logs.
Network Indicators:
- Increased network traffic to Bareos Director on authentication ports, especially from suspicious IPs attempting multiple login failures.
SIEM Query:
Example: 'source="bareos-dir.log" AND "authentication failed" AND "PAM"' to detect exploitation attempts.🔗 References
- https://github.com/bareos/bareos/pull/1115
- https://github.com/bareos/bareos/pull/1119
- https://github.com/bareos/bareos/pull/1121
- https://github.com/bareos/bareos/security/advisories/GHSA-jh55-4wgw-xc9j
- https://huntr.dev/bounties/480121f2-bc3c-427e-986e-5acffb1606c5/
- https://github.com/bareos/bareos/pull/1115
- https://github.com/bareos/bareos/pull/1119
- https://github.com/bareos/bareos/pull/1121
- https://github.com/bareos/bareos/security/advisories/GHSA-jh55-4wgw-xc9j
- https://huntr.dev/bounties/480121f2-bc3c-427e-986e-5acffb1606c5/
