Netatalk Security Advisory
| Subject | Arbitrary code execution in dsi_stream_receive |
|---|---|
| CVE ID# | CVE-2021-31439 |
| Date | 2022/03/21 advisory published retroactively; date is approximate |
| Versions | 3.0.0 - 3.1.12 |
| Summary | Lack of limit checking in dsi_stream_receive leads to remote code execution |
Description
This vulnerability allows network-adjacent attackers to execute arbitrary code in Netatalk. Authentication is not required to exploit this vulnerablity. The specific flaw exists within the processing of DSI structures in Netatalk. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process.
Patch Availability
Apply the patch with git hash 779717d to hotfix your local Netatalk deployment.
Additionally, Netatalk 3.1.13 has been released which contains the security patch. Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS Calculation
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (8.8)
Workaround
None.
Credits
Vulnerability found and reported by:
Angelboy(@scwuaptx) from DEVCORE Security Team
Patch developed by:
Ralph Boehme of the Netatalk and Samba teams
Go back to the Security Policy.
