CVE-2024-45044
📋 TL;DR
This vulnerability in Bareos allows users to bypass command access controls by using command abbreviations. When negative ACLs are configured to forbid specific commands, users can still execute those commands by using their abbreviated forms. This affects Bareos installations using command ACLs with negative permissions.
💻 Affected Systems
- Bareos
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users could execute restricted administrative commands, potentially compromising backup integrity, accessing sensitive data, or disrupting backup operations.
Likely Case
Users with limited privileges could execute commands they're explicitly forbidden from using, violating the principle of least privilege and potentially accessing backup metadata or configuration information.
If Mitigated
If only positive ACLs are used (allow lists) without any negative permissions, the vulnerability does not apply and there is no impact.
🎯 Exploit Status
Exploitation requires authenticated access to bconsole and knowledge of command abbreviations. The vulnerability is straightforward to exploit once discovered.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 23.0.4, 22.1.6, or 21.1.11
Vendor Advisory: https://github.com/bareos/bareos/security/advisories/GHSA-jfww-q346-r2r8
Restart Required: Yes
Instructions:
1. Identify your Bareos version. 2. Upgrade to the appropriate patched version (23.0.4 for 23.x, 22.1.6 for 22.x, 21.1.11 for 21.x). 3. Restart Bareos services. 4. Verify ACL enforcement works correctly with command abbreviations.
🔧 Temporary Workarounds
Convert to positive-only ACLs
allReplace negative ACLs (deny rules) with positive-only ACLs (allow lists) to eliminate the vulnerability
# Edit Bareos configuration files to remove negative ACL entries
# Replace '!command = whoami' with explicit allow lists for permitted commands
Disable command abbreviations
allConfigure bconsole to require full command names instead of accepting abbreviations
# Add 'AutoComplete = no' to bconsole configuration
# Or configure specific command completion restrictions
🧯 If You Can't Patch
- Audit all command ACL configurations and convert negative ACLs to positive-only allow lists
- Implement additional monitoring for command execution patterns and alert on use of restricted command abbreviations
🔍 How to Verify
Check if Vulnerable:
Test if command abbreviations bypass ACL restrictions: 1. Configure a negative ACL for a command like 'whoami'. 2. Attempt to execute 'w' or 'who' in bconsole. 3. If the command executes despite the ACL, the system is vulnerable.Check Version:
bareos-fd -v 2>&1 | grep Version # For Bareos File Daemon
bareos-sd -v 2>&1 | grep Version # For Bareos Storage Daemon
bareos-dir -v 2>&1 | grep Version # For Bareos DirectorVerify Fix Applied:
After patching, repeat the vulnerable test: 1. Configure negative ACL for a command. 2. Attempt to use abbreviations. 3. Verify abbreviations are now properly blocked by ACL checks.📡 Detection & Monitoring
Log Indicators:
- Failed ACL checks for abbreviated commands
- Successful execution of commands that should be blocked by ACLs
- Unusual command abbreviation patterns in bconsole logs
Network Indicators:
- bconsole connections followed by unexpected command execution patterns
SIEM Query:
source="bareos*" AND ("ACL denied" OR "command not permitted") AND ("w" OR "who" OR other_abbreviations)