Asustor Security Advisory AS-2024-006: Netatalk Resolved Vunerability
Multiple fixed vulnerabilities affecting earlier versions of software on release of Netatalk 3.2.1
This is a Press Release edited by StorageNewsletter.com on October 17, 2024 at 2:00 pmAsustor, Inc. had published a security advisory concerning Netatalk using in ADM NAS OS.
Severity: Important
Status: Ongoing
Statement
The Netatalk development team disclosed multiple fixed vulnerabilities affecting earlier versions of the software on the release of Netatalk 3.2.1: CVE-2024-38439, CVE-2024-38440 and CVE-2024-38441.
ADM 4.3 updated with Netatalk 3.2.7 will be released as soon as possible.
Affected products
Product |
Severity |
Fixed release availability |
---|---|---|
ADM 4.1 and above |
Important |
Ongoing |
Mitigation
Netatalk provides file access through AFP (Apple Filing Protocol) on ADM. AFP service has been disabled by default on ADM. We recommend using SMB protocol instead when connecting from macOS.
Detail
- CVE-2024-38439
- Severity: Important
- Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[PASSWDLEN] to ‘\0’ in FPLoginExt in login in etc/uams/uams_pam.c. 2.4.1 and 3.1.19 are also fixed versions.
- CVE-2024-38440
- Severity: High
- Netatalk before 3.2.1 has an off-by-one error, and resultant heap-based buffer overflow and segmentation violation, because of incorrectly using FPLoginExt in BN_bin2bn in etc/uams/uams_dhx_pam.c. The original issue 1097 report stated: ‘The latest version of Netatalk (v3.2.0) contains a security vulnerability. This vulnerability arises due to a lack of validation for the length field after parsing user-provided data, leading to an out-of-bounds heap write of one byte (\0). Under specific configurations, this can result in reading metadata of the next heap block, potentially causing a Denial of Service (DoS) under certain heap layouts or with ASAN enabled. … The vulnerability is located in the FPLoginExt operation of Netatalk, in the BN_bin2bn function found in /etc/uams/uams_dhx_pam.c … if (!(bn = BN_bin2bn((unsigned char *)ibuf, KEYSIZE, NULL))) … threads … [#0] Id 1, Name: “afpd”, stopped 0x7ffff4304e58 in ?? (), reason: SIGSEGV … [#0] 0x7ffff4304e58 mov BYTE PTR [r14+0x8], 0x0 … mov rdx, QWORD PTR [rsp+0x18] … afp_login_ext(obj=, ibuf=0x62d000010424 “”, ibuflen=0xffffffffffff0015, rbuf=, rbuflen=) … afp_over_dsi(obj=0x5555556154c0 ).’ 2.4.1 and 3.1.19 are also fixed versions.
- CVE-2024-38441
- Severity: High
- Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[len] to ‘\0’ in FPMapName in afp_mapname in etc/afpd/directory.c. 2.4.1 and 3.1.19 are also fixed versions.
Reference
Revision
Revision |
Date |
Description |
---|---|---|
1 |
2024-09-24 |
Initial public release |