Netatalk Security Advisory
| Subject | Heap out-of-bounds write in uams_pam.c |
|---|---|
| CVE ID# | CVE-2024-38439 |
| Date | 2024/06/28 |
| Versions | 3.2.0, 3.0.0 - 3.1.18, 1.5.0 - 2.4.0 |
| Summary | Lack of user input validation can lead to an out-of-bounds heap write |
Description
The vulnerability is found in uams_dhx_pam.c and is caused by a lack of validation for the length field after parsing user data. This leads to an out-of-bounds heap write of one byte (\0), which can overwrite metadata in the next heap block, potentially allowing code execution in the root context.
The vulnerability is located in the FPLoginExt operation of Netatalk’s
afpd daemon, in the afp_mapname function.
It may be triggered when logging in with the PAM-enabled ClearTxt user
authentication module.
Patch Availability
Apply the patch with git hash 77b5d99 to hotfix your local Netatalk deployment.
Additionally, Netatalk 2.4.1, 3.1.19, and 3.2.1 have been released which include the security patch. Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS Calculation
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L (7.3)
Workaround
Build Netatalk without PAM support, or disable the uams_clrtxt.so authentication module in your afp.conf file.
Credits
Vulnerability found and reported by:
flysoar
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
