Critical memory leak and authorization vulnerability in Bareos, a backup and archiving solution

Information security specialists report the detection of two vulnerabilities in Bareos open-source software to back up, archive and restore files on the main operating systems. According to the report, the successful exploitation of these flaws would allow the deployment of dangerous hacking tasks.

Below are brief descriptions of the reported flaws, as well as their respective tracking keys and scores according to the Common Vulnerability Scoring System (CVSS).

CVE-2022-24756: A memory leak during PAM authentication in the Bareos Director component would allow remote threat actors to force a denial of service (DoS) attack on the affected system.  

The vulnerability received a CVSS score of 6.5/10 and is considered a medium severity flaw, as mentioned by information security specialists.

CVE-2022-24755: On the other hand, this flaw exists due to improper authorization during PAM authentication in the Bareos Director component, which would allow remote malicious hackers to evade authentication and gain administrative access to the affected system.

Because this flaw would allow privilege escalation attacks to be performed, it is considered a severe error and was assigned a CVSS score of 7.1/10.

According to the report, the vulnerabilities reside in all versions of Bareos between v19.2.4 and v21.0.1.

While these vulnerabilities can be exploited by remote threat actors not authenticated over the Internet, no malicious exploitation attempts associated with these reports have been detected so far. Still, the developers of Bareos recommend users of affected deployments to apply the available patches as soon as possible.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.