Netatalk Security Advisory
| Subject | Heap out-of-bounds write in directory.c |
|---|---|
| CVE ID# | CVE-2024-38441 |
| Date | 2024/06/28 |
| Versions | 3.2.0, 3.0.0 - 3.1.18, 2.0.0 - 2.4.0 |
| Summary | Lack of user input validation can lead to an out-of-bounds heap write |
Description
This vulnerability originates in /etc/afp/directory.c and stems from
inadequate validation of the length field after parsing user data,
leading to an out-of-bounds heap write of one byte (\0).
In specific configurations, this results in writing
to the metadata of the next heap block,
which could allow an attacker to execute code with root privileges.
The vulnerability is located in the FPMapName operation of Netatalk’s
afpd daemon, in the afp_mapname function.
It may be triggered when logging in with the Guest user authentication
module.
The vulnerable code paths were added in 2.0.0 release of Netatalk, when the user login flow was rewritten to accommodate the AFP v3 protocol specification.
Patch Availability
Apply the patch with git hash 77b5d99 to hotfix your local Netatalk deployment.
Additionally, Netatalk 2.4.1, 3.1.19, and 3.2.1 have been released which include the security patch. Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS Calculation
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L (7.3)
Workaround
Disable the uams_guest.so authentication module in your afp.conf file.
Credits
Vulnerability found and reported by:
flysoar
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
