Avviso sulla sicurezza dei prodotti ASUSTOR

AS-2022-006: Netatalk

2022-05-06

Severity

Important

Status

Resolved

Statement

The Netatalk development team disclosed multiple fixed vulnerabilities affecting earlier versions of the software on the latest release of Netatalk 3.1.13: CVE-2021-31439, CVE-2022-23121, CVE-2022-23122, CVE-2022-23123, CVE-2022-23124, CVE-2022-23125 and CVE-2022-0194.

Netatalk 3.1.13 has been updated on ADM 4.0.5.RT42 and ADM 3.5.9.RT42 to resolve these issues.

Affected Products

Product	Severity	Fixed Release Availability
ADM 4.0	Important	Upgrade to 4.0.5.RT42 or above.
ADM 3.5	Important	Upgrade to 3.5.9.RT42 or above.

Mitigation

Netatalk provides file access through AFP (Apple Filing Protocol) on ADM. AFP service has been disabled by default since ADM 4.0. We recommend using SMB protocol instead when connecting from macOS.

For ASUSTOR NAS not yet upgraded to ADM 3.5.9.RT42 or above, administrators can disable AFP service to mitigate the specific vulnerabilities. In environments where AFP is still needed, setting up firewall rules to only allow trusted clients to connect over AFP (port 548) can be used as temporary mitigation.

Detail

CVE-2021-31439
- Severity: Important
- This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Synology DiskStation Manager. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of DSI structures in Netatalk. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-12326.
CVE-2022-23121, CVE-2022-23122, CVE-2022-23123, CVE-2022-23124, CVE-2022-23125, CVE-2022-0194
- Severity: Important
- ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

Reference

Revision

Revision	Date	Description
1	2022-04-26	Initial public release.
2	2022-05-05	Update mitigation information.
3	2022-05-06	Release ADM 4.0.5.RT42 and ADM 3.5.9.RT42 to update Netatalk version for fixing the issues.

Personale a Casa

Utente Casa Power

Da Utente Power ad Azienda

Piccole e medie aziende

Tutti I prodotti

Accessori

Applicazioni Desktop

AS-2022-006: Netatalk

Important

Resolved

Statement

Affected Products

Mitigation

Detail

Reference

Revision

Serve Aiuto?

ASUSTOR Online

Riguardo a noi

Altri servizi

Personale a Casa

Utente Casa Power

Da Utente Power ad Azienda

Piccole e medie aziende

Unità di espansione

Tutti I prodotti

Accessori

NAS Guida agli acquisti

Cosa è ADM

ADM Beta Program

Applicazioni NAS

Prova ora il sistema operativo

Funzioni

Soluzioni

Gli utenti privati ​​/ Creatori di contenuti

Applicazioni Desktop

App mobili

NOVITÀ

Cosa è Surveillance Center

Prova ora il sistema operativo

Surveillance Beta Program

Funzioni

Serve Aiuto?

Serve Aiuto?

Strumenti

ASUSTOR Online

Altri servizi

Sicurezza

Regioni

Altri servizi

Diventa nostro partner

ricerca

AS-2022-006: Netatalk

Important

Resolved

Statement

Affected Products

Mitigation

Detail

Reference

Revision

Serve Aiuto?

ASUSTOR Online

Riguardo a noi

Altri servizi

Gli utenti privati / Creatori di contenuti