What are you looking for ?
Advertise with us
RAIDON

Asustor Security Advisory AS-2024-006: Netatalk Resolved Vunerability

Multiple fixed vulnerabilities affecting earlier versions of software on release of Netatalk 3.2.1

Asustor, Inc. had published a security advisory concerning Netatalk using in ADM NAS OS.

Severity: Important
Status: Ongoing

Statement
The Netatalk development team disclosed multiple fixed vulnerabilities affecting earlier versions of the software on the release of Netatalk 3.2.1: CVE-2024-38439, CVE-2024-38440 and CVE-2024-38441.

ADM 4.3 updated with Netatalk 3.2.7 will be released as soon as possible.

Affected products

Product

Severity

Fixed release availability

ADM 4.1 and above

Important

Ongoing

Mitigation
Netatalk provides file access through AFP (Apple Filing Protocol) on ADM. AFP service has been disabled by default on ADM. We recommend using SMB protocol instead when connecting from macOS.

Detail

  • CVE-2024-38439
    • Severity: Important
    • Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[PASSWDLEN] to ‘\0’ in FPLoginExt in login in etc/uams/uams_pam.c. 2.4.1 and 3.1.19 are also fixed versions.
  • CVE-2024-38440
    • Severity: High
    • Netatalk before 3.2.1 has an off-by-one error, and resultant heap-based buffer overflow and segmentation violation, because of incorrectly using FPLoginExt in BN_bin2bn in etc/uams/uams_dhx_pam.c. The original issue 1097 report stated: ‘The latest version of Netatalk (v3.2.0) contains a security vulnerability. This vulnerability arises due to a lack of validation for the length field after parsing user-provided data, leading to an out-of-bounds heap write of one byte (\0). Under specific configurations, this can result in reading metadata of the next heap block, potentially causing a Denial of Service (DoS) under certain heap layouts or with ASAN enabled. … The vulnerability is located in the FPLoginExt operation of Netatalk, in the BN_bin2bn function found in /etc/uams/uams_dhx_pam.c … if (!(bn = BN_bin2bn((unsigned char *)ibuf, KEYSIZE, NULL))) … threads … [#0] Id 1, Name: “afpd”, stopped 0x7ffff4304e58 in ?? (), reason: SIGSEGV … [#0] 0x7ffff4304e58 mov BYTE PTR [r14+0x8], 0x0 … mov rdx, QWORD PTR [rsp+0x18] … afp_login_ext(obj=, ibuf=0x62d000010424 “”, ibuflen=0xffffffffffff0015, rbuf=, rbuflen=) … afp_over_dsi(obj=0x5555556154c0 ).’ 2.4.1 and 3.1.19 are also fixed versions.
  • CVE-2024-38441
    • Severity: High
    • Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[len] to ‘\0’ in FPMapName in afp_mapname in etc/afpd/directory.c. 2.4.1 and 3.1.19 are also fixed versions.

Reference

Revision

Revision

Date

Description

1

2024-09-24

Initial public release

 

Articles_bottom
ExaGrid
AIC
ATTOtarget="_blank"
OPEN-E