Local Privilege Escalation in Bareos by PID File Manipulation
CVE-2017-14610

7.8HIGH

Key Information:

Vendor: Bareos
Status: Bareos
Vendor: CVE Published:; 20 September 2017

What is CVE-2017-14610?

In Bareos, the bareos-dir, bareos-fd, and bareos-sd components have a vulnerability that arises when a PID file is created after a non-root account has dropped privileges. This flaw may permit local users to alter the PID file, which could lead to arbitrary process termination. By leveraging access to the non-root account, an attacker could modify the PID file before a subsequent root script executes a command that terminates processes based on the PID. This situation presents a significant security risk allowing the malicious user to disrupt services or compromise system integrity.

References

https://bugs.bareos.org/view.php?id=847

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability Reserved
Oct 3, 2022
Vulnerability published
Sep 20, 2017