Netatalk Security Advisory
| Subject | Arbitrary code execution in dsi_stream_receive |
|---|---|
| CVE ID# | CVE-2021-31439 |
| Date | 2022/03/21 advisory published retroactively; date is approximate |
| Versions | 3.0.0 - 3.1.12 |
| Summary | Lack of limit checking in dsi_stream_receive leads to remote code execution |
Description
This vulnerability enables network-adjacent attackers to execute arbitrary code in Netatalk without requiring authentication.
The root cause lies in how Netatalk processes DSI structures, specifically due to improper validation of user-supplied data lengths before copying the data into a heap-based buffer.
By exploiting this flaw, an attacker can execute code within the context of the affected process.
Patch Availability
Apply the patch with git hash 779717d to hotfix your local Netatalk deployment.
Additionally, Netatalk 3.1.13 has been released which contains the security patch. Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS Calculation
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (8.8)
Workaround
None.
Credits
Vulnerability found and reported by:
Angelboy(@scwuaptx) from DEVCORE Security Team
Patch developed by:
Ralph Boehme of the Netatalk and Samba teams
Go back to the Security Policy.
