CVE-2022-24756 is a medium-severity vulnerability affecting the Bareos Director component of the Bareos open-source backup, archiving, and recovery software. The vulnerability arises from a missing release of memory after its effective lifetime (CWE-401), specifically when Bareos Director versions between 18.2 and prior to 19.2.12, 20.0.0 and prior to 20.0.6, and 21.0.0 and prior to 21.1.0 are built and configured to use PAM (Pluggable Authentication Modules) for authentication. In this configuration, a failed PAM authentication attempt causes a small memory leak. An attacker who has access to the PAM Console—either by knowing the shared secret or via the WebUI—can exploit this by flooding the Director with repeated failed login attempts. Over time, this leads to an out-of-memory condition that causes the Bareos Director to become non-functional, effectively resulting in a denial-of-service (DoS) condition. The vulnerability does not require user interaction beyond the ability to send authentication requests, but it does require knowledge of the shared secret or access to the WebUI, which implies some level of prior access or credential compromise. The issue has been fixed in Bareos Director versions 21.1.0, 20.0.6, and 19.2.12. For users unable to upgrade, disabling PAM authentication is recommended as a temporary workaround. There are no known exploits in the wild at this time, and no CVSS score has been assigned to this vulnerability.

For European organizations relying on Bareos for backup and recovery, this vulnerability poses a risk primarily in the form of denial-of-service attacks against their backup infrastructure. Successful exploitation can cause the Bareos Director to exhaust its memory resources and become unresponsive, potentially interrupting backup and recovery operations. This disruption could lead to data protection gaps, delayed recovery from incidents, and increased operational risk. Organizations in sectors with stringent data retention and recovery requirements—such as finance, healthcare, and critical infrastructure—may face compliance and operational challenges if backup services are disrupted. Additionally, if an attacker can repeatedly trigger this condition, it may serve as a diversion or precursor to more sophisticated attacks. The requirement for access to the PAM Console or knowledge of the shared secret limits the attack surface, but insider threats or compromised credentials could facilitate exploitation. Given the widespread use of Bareos in European enterprises and public sector organizations, the impact could be significant if not mitigated.

To mitigate this vulnerability, European organizations should prioritize upgrading Bareos Director to versions 21.1.0, 20.0.6, or 19.2.12, which contain the official fix. If immediate upgrading is not feasible, disabling PAM authentication on the Bareos Director is a recommended workaround to prevent memory leaks from failed PAM authentication attempts. Organizations should also audit and restrict access to the PAM Console and WebUI interfaces, ensuring that shared secrets and credentials are securely managed and rotated regularly. Implementing network-level controls such as IP whitelisting or VPN access for management interfaces can reduce exposure. Monitoring authentication logs for unusual patterns of failed login attempts can help detect potential exploitation attempts early. Additionally, organizations should consider deploying resource limits or memory usage monitoring on the Bareos Director host to detect and respond to abnormal memory consumption promptly. Regular backups of configuration and system state should be maintained to facilitate recovery in case of service disruption.