CVE-2020-11061 Explained : Impact and Mitigation

In Bareos Director less than or equal to versions 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow vulnerability allows a malicious client to corrupt the director's memory. Disabling verify jobs can mitigate this issue. The problem is also addressed in Bareos versions 19.2.8, 18.2.9, and 17.2.10.

Understanding CVE-2020-11061

This CVE involves a heap-based buffer overflow vulnerability in Bareos Director.

What is CVE-2020-11061?

A heap overflow in Bareos Director versions <= 16.2.10, <= 17.2.9, <= 18.2.8, and <= 19.2.7 allows a malicious client to corrupt the director's memory by sending oversized digest strings during the initialization of a verify job.

The Impact of CVE-2020-11061

CVSS Base Score: 6 (Medium)
Attack Vector: Network
Attack Complexity: High
Privileges Required: Low
User Interaction: None
Scope: Changed
Confidentiality, Integrity, Availability Impact: Low

Technical Details of CVE-2020-11061

This section provides detailed technical information about the vulnerability.

Vulnerability Description

The vulnerability is a heap-based buffer overflow (CWE-122) in Bareos Director.

Affected Systems and Versions

Affected Product: Bareos Director
Vendor: Bareos GmbH & Co. KG
Vulnerable Versions: <= 16.2.10, <= 17.2.9, <= 18.2.8, <= 19.2.7

Exploitation Mechanism

The vulnerability can be exploited by a malicious client sending oversized digest strings during the initialization of a verify job.

Mitigation and Prevention

Protect your systems from CVE-2020-11061 with the following steps:

Immediate Steps to Take

Disable verify jobs in affected versions.

Long-Term Security Practices

Regularly update Bareos to patched versions.
Monitor security advisories for any new vulnerabilities.

Patching and Updates

Ensure all systems running Bareos Director are updated to versions 19.2.8, 18.2.9, or 17.2.10 to address this vulnerability.