CVE-2022-24755: CWE-863: Incorrect Authorization in bareos bareos
Bareos is open source software for backup, archiving, and recovery of data for operating systems. When Bareos Director >= 18.2 >= 18.2 but prior to 21.1.0, 20.0.6, and 19.2.12 is built and configured for PAM authentication, it will skip authorization checks completely. Expired accounts and accounts with expired passwords can still login. This problem will affect users that have PAM enabled. Currently there is no authorization (e.g. check for expired or disabled accounts), but only plain authentication (i.e. check if username and password match). Bareos Director versions 21.1.0, 20.0.6 and 19.2.12 implement the authorization check that was previously missing. The only workaround is to make sure that authentication fails if the user is not authorized.
AI Analysis
Technical Summary
CVE-2022-24755 is a vulnerability in the Bareos open-source backup, archiving, and recovery software affecting the Bareos Director component versions >= 18.2 but prior to 19.2.12, >= 20.0.0 but prior to 20.0.6, and >= 21.0.0 but prior to 21.1.0 when configured to use PAM (Pluggable Authentication Modules) for authentication. The vulnerability arises from an incorrect authorization implementation (CWE-863) where the Bareos Director skips authorization checks entirely after successful authentication. Specifically, the system only verifies that the username and password match (authentication) but does not verify whether the account is authorized to log in, such as checking for expired or disabled accounts. Consequently, accounts with expired passwords or expired/disabled status can still successfully log in and access the system. This flaw effectively bypasses critical authorization controls, potentially allowing unauthorized access to backup management functions. The vulnerability does not require user interaction beyond authentication and affects all users with PAM enabled. The issue was resolved in Bareos Director versions 21.1.0, 20.0.6, and 19.2.12, which implemented proper authorization checks. No known exploits are currently reported in the wild, and no official patches or workarounds beyond upgrading to fixed versions or ensuring authentication fails for unauthorized users are documented. This vulnerability impacts the confidentiality and integrity of backup data by potentially allowing unauthorized users to access or manipulate backup operations due to missing authorization enforcement.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the security of backup and recovery infrastructure. Bareos is widely used in enterprise and public sector environments for critical data protection. Unauthorized access to the Bareos Director could allow attackers or unauthorized insiders to view, modify, or delete backup configurations and data, potentially leading to data loss, data corruption, or exposure of sensitive information. This risk is heightened in sectors with strict data protection regulations such as GDPR, where unauthorized access to personal data backups could result in compliance violations and substantial fines. Additionally, compromised backup systems could be leveraged to disrupt business continuity or facilitate ransomware attacks by tampering with backup availability or integrity. The lack of authorization checks means that even accounts that should be disabled or expired remain active, increasing the attack surface and risk of insider threats or credential misuse. Organizations relying on PAM authentication for Bareos Director are particularly vulnerable until they upgrade to patched versions or implement strict authentication failure policies. The impact extends to the availability of backup services if unauthorized users disrupt backup schedules or recovery processes.
Mitigation Recommendations
1. Immediate upgrade of Bareos Director to versions 21.1.0, 20.0.6, or 19.2.12 or later, which include proper authorization checks. 2. If upgrading is not immediately possible, enforce strict PAM policies to ensure that authentication fails for expired, disabled, or unauthorized accounts, effectively preventing login despite the Bareos authorization flaw. 3. Audit all Bareos Director user accounts to identify and disable any expired or inactive accounts manually. 4. Implement network segmentation and access controls to restrict Bareos Director access only to trusted administrative hosts and users. 5. Monitor Bareos Director logs for unusual login activity, especially from accounts that should be expired or disabled. 6. Employ multi-factor authentication (MFA) at the PAM level to reduce the risk of credential misuse. 7. Regularly review and update PAM configuration to ensure it enforces authorization policies correctly. 8. Conduct security awareness training for administrators managing Bareos to recognize and respond to suspicious activity related to backup systems. 9. Consider deploying intrusion detection systems (IDS) to detect anomalous access patterns to backup infrastructure.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Belgium, Poland, Austria
CVE-2022-24755: CWE-863: Incorrect Authorization in bareos bareos
Description
Bareos is open source software for backup, archiving, and recovery of data for operating systems. When Bareos Director >= 18.2 >= 18.2 but prior to 21.1.0, 20.0.6, and 19.2.12 is built and configured for PAM authentication, it will skip authorization checks completely. Expired accounts and accounts with expired passwords can still login. This problem will affect users that have PAM enabled. Currently there is no authorization (e.g. check for expired or disabled accounts), but only plain authentication (i.e. check if username and password match). Bareos Director versions 21.1.0, 20.0.6 and 19.2.12 implement the authorization check that was previously missing. The only workaround is to make sure that authentication fails if the user is not authorized.
AI-Powered Analysis
Technical Analysis
CVE-2022-24755 is a vulnerability in the Bareos open-source backup, archiving, and recovery software affecting the Bareos Director component versions >= 18.2 but prior to 19.2.12, >= 20.0.0 but prior to 20.0.6, and >= 21.0.0 but prior to 21.1.0 when configured to use PAM (Pluggable Authentication Modules) for authentication. The vulnerability arises from an incorrect authorization implementation (CWE-863) where the Bareos Director skips authorization checks entirely after successful authentication. Specifically, the system only verifies that the username and password match (authentication) but does not verify whether the account is authorized to log in, such as checking for expired or disabled accounts. Consequently, accounts with expired passwords or expired/disabled status can still successfully log in and access the system. This flaw effectively bypasses critical authorization controls, potentially allowing unauthorized access to backup management functions. The vulnerability does not require user interaction beyond authentication and affects all users with PAM enabled. The issue was resolved in Bareos Director versions 21.1.0, 20.0.6, and 19.2.12, which implemented proper authorization checks. No known exploits are currently reported in the wild, and no official patches or workarounds beyond upgrading to fixed versions or ensuring authentication fails for unauthorized users are documented. This vulnerability impacts the confidentiality and integrity of backup data by potentially allowing unauthorized users to access or manipulate backup operations due to missing authorization enforcement.
Potential Impact
For European organizations, this vulnerability poses a significant risk to the security of backup and recovery infrastructure. Bareos is widely used in enterprise and public sector environments for critical data protection. Unauthorized access to the Bareos Director could allow attackers or unauthorized insiders to view, modify, or delete backup configurations and data, potentially leading to data loss, data corruption, or exposure of sensitive information. This risk is heightened in sectors with strict data protection regulations such as GDPR, where unauthorized access to personal data backups could result in compliance violations and substantial fines. Additionally, compromised backup systems could be leveraged to disrupt business continuity or facilitate ransomware attacks by tampering with backup availability or integrity. The lack of authorization checks means that even accounts that should be disabled or expired remain active, increasing the attack surface and risk of insider threats or credential misuse. Organizations relying on PAM authentication for Bareos Director are particularly vulnerable until they upgrade to patched versions or implement strict authentication failure policies. The impact extends to the availability of backup services if unauthorized users disrupt backup schedules or recovery processes.
Mitigation Recommendations
1. Immediate upgrade of Bareos Director to versions 21.1.0, 20.0.6, or 19.2.12 or later, which include proper authorization checks. 2. If upgrading is not immediately possible, enforce strict PAM policies to ensure that authentication fails for expired, disabled, or unauthorized accounts, effectively preventing login despite the Bareos authorization flaw. 3. Audit all Bareos Director user accounts to identify and disable any expired or inactive accounts manually. 4. Implement network segmentation and access controls to restrict Bareos Director access only to trusted administrative hosts and users. 5. Monitor Bareos Director logs for unusual login activity, especially from accounts that should be expired or disabled. 6. Employ multi-factor authentication (MFA) at the PAM level to reduce the risk of credential misuse. 7. Regularly review and update PAM configuration to ensure it enforces authorization policies correctly. 8. Conduct security awareness training for administrators managing Bareos to recognize and respond to suspicious activity related to backup systems. 9. Consider deploying intrusion detection systems (IDS) to detect anomalous access patterns to backup infrastructure.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-02-10T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9848c4522896dcbf632b
Added to database: 5/21/2025, 9:09:28 AM
Last enriched: 6/22/2025, 2:49:36 AM
Last updated: 8/17/2025, 2:39:31 PM
Views: 15
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.