Netatalk Security Advisory
- Subject
- Heap out-of-bounds write in uams_pam.c
- CVE ID
- CVE-2024-38439
- Date of Publishing
- 2024/06/28
- Affected Netatalk Versions
- 2.0.0 - 2.4.0
3.0.0 - 3.1.18
3.2.0 - Summary
- Lack of user input validation can lead to an out-of-bounds heap write
Description
This vulnerability arises due to a lack of validation for the length field after parsing user-provided data, leading to an out-of-bounds heap write of one byte (\0). Under specific configurations, this can result in an out-of-bounds write to the metadata of the next heap block, potentially allowing an attacker to execute code in the root context.
The vulnerability is located in the FPLoginExt operation of Netatalk's afpd daemon, in the afp_mapname function found in /etc/uams/uams_pam.c. It may be triggered when logging in with the Clear Text user authentication module.
Patch Availability
Apply the patch with git hash 77b5d99007cfef4d73d76fd6f0c26584891608e5 to hotfix your local Netatalk deployment.
Additionally, Netatalk 2.4.1, 3.1.19, and 3.2.1 have been released which include the security patch. Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSSv3 Calculation
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L (7.3)
Workaround
Disable the uams_clrtxt.so authentication module in your afp.conf file.
Credits
- Exploit found and reported by:
- flysoar
- Patch developed by:
- Daniel Markstedt of the Netatalk Team
