CVE-2022-24755 is a vulnerability in the Bareos open-source backup, archiving, and recovery software affecting the Bareos Director component versions >= 18.2 but prior to 19.2.12, >= 20.0.0 but prior to 20.0.6, and >= 21.0.0 but prior to 21.1.0 when configured to use PAM (Pluggable Authentication Modules) for authentication. The vulnerability arises from an incorrect authorization implementation (CWE-863) where the Bareos Director skips authorization checks entirely after successful authentication. Specifically, the system only verifies that the username and password match (authentication) but does not verify whether the account is authorized to log in, such as checking for expired or disabled accounts. Consequently, accounts with expired passwords or expired/disabled status can still successfully log in and access the system. This flaw effectively bypasses critical authorization controls, potentially allowing unauthorized access to backup management functions. The vulnerability does not require user interaction beyond authentication and affects all users with PAM enabled. The issue was resolved in Bareos Director versions 21.1.0, 20.0.6, and 19.2.12, which implemented proper authorization checks. No known exploits are currently reported in the wild, and no official patches or workarounds beyond upgrading to fixed versions or ensuring authentication fails for unauthorized users are documented. This vulnerability impacts the confidentiality and integrity of backup data by potentially allowing unauthorized users to access or manipulate backup operations due to missing authorization enforcement.

For European organizations, this vulnerability poses a significant risk to the security of backup and recovery infrastructure. Bareos is widely used in enterprise and public sector environments for critical data protection. Unauthorized access to the Bareos Director could allow attackers or unauthorized insiders to view, modify, or delete backup configurations and data, potentially leading to data loss, data corruption, or exposure of sensitive information. This risk is heightened in sectors with strict data protection regulations such as GDPR, where unauthorized access to personal data backups could result in compliance violations and substantial fines. Additionally, compromised backup systems could be leveraged to disrupt business continuity or facilitate ransomware attacks by tampering with backup availability or integrity. The lack of authorization checks means that even accounts that should be disabled or expired remain active, increasing the attack surface and risk of insider threats or credential misuse. Organizations relying on PAM authentication for Bareos Director are particularly vulnerable until they upgrade to patched versions or implement strict authentication failure policies. The impact extends to the availability of backup services if unauthorized users disrupt backup schedules or recovery processes.

1. Immediate upgrade of Bareos Director to versions 21.1.0, 20.0.6, or 19.2.12 or later, which include proper authorization checks. 2. If upgrading is not immediately possible, enforce strict PAM policies to ensure that authentication fails for expired, disabled, or unauthorized accounts, effectively preventing login despite the Bareos authorization flaw. 3. Audit all Bareos Director user accounts to identify and disable any expired or inactive accounts manually. 4. Implement network segmentation and access controls to restrict Bareos Director access only to trusted administrative hosts and users. 5. Monitor Bareos Director logs for unusual login activity, especially from accounts that should be expired or disabled. 6. Employ multi-factor authentication (MFA) at the PAM level to reduce the risk of credential misuse. 7. Regularly review and update PAM configuration to ensure it enforces authorization policies correctly. 8. Conduct security awareness training for administrators managing Bareos to recognize and respond to suspicious activity related to backup systems. 9. Consider deploying intrusion detection systems (IDS) to detect anomalous access patterns to backup infrastructure.