We use cookies to help us improve our webpage. Please read our Cookie Policy .

ASUSTOR Product Security Advisory

AS-2024-006: Netatalk

2024-09-27

Severity

Important

Status

Resolved

Statement

The Netatalk development team disclosed multiple fixed vulnerabilities affecting earlier versions of the software on the release of Netatalk 3.2.1: CVE-2024-38439, CVE-2024-38440 and CVE-2024-38441.

ADM 4.3 updated with Netatalk 3.2.7 will be released as soon as possible.

  • Netatalk 3.2.7 has been updated on ADM 4.3.2.R9Q2 to resolve the issues.

Affected Products

Product Severity Fixed Release Availability
ADM 4.3, 4.2 and 4.1 Important Upgrade to ADM 4.3.2.R9Q2 or above.

Mitigation

Netatalk provides file access through AFP (Apple Filing Protocol) on ADM. AFP service has been disabled by default on ADM. We recommend using SMB protocol instead when connecting from macOS.


Detail

  • CVE-2024-38439
    • Severity: Important
    • Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[PASSWDLEN] to '\0' in FPLoginExt in login in etc/uams/uams_pam.c. 2.4.1 and 3.1.19 are also fixed versions.
  • CVE-2024-38440
    • Severity: High
    • Netatalk before 3.2.1 has an off-by-one error, and resultant heap-based buffer overflow and segmentation violation, because of incorrectly using FPLoginExt in BN_bin2bn in etc/uams/uams_dhx_pam.c. The original issue 1097 report stated: 'The latest version of Netatalk (v3.2.0) contains a security vulnerability. This vulnerability arises due to a lack of validation for the length field after parsing user-provided data, leading to an out-of-bounds heap write of one byte (\0). Under specific configurations, this can result in reading metadata of the next heap block, potentially causing a Denial of Service (DoS) under certain heap layouts or with ASAN enabled. ... The vulnerability is located in the FPLoginExt operation of Netatalk, in the BN_bin2bn function found in /etc/uams/uams_dhx_pam.c ... if (!(bn = BN_bin2bn((unsigned char *)ibuf, KEYSIZE, NULL))) ... threads ... [#0] Id 1, Name: "afpd", stopped 0x7ffff4304e58 in ?? (), reason: SIGSEGV ... [#0] 0x7ffff4304e58 mov BYTE PTR [r14+0x8], 0x0 ... mov rdx, QWORD PTR [rsp+0x18] ... afp_login_ext(obj=, ibuf=0x62d000010424 "", ibuflen=0xffffffffffff0015, rbuf=, rbuflen=) ... afp_over_dsi(obj=0x5555556154c0 ).' 2.4.1 and 3.1.19 are also fixed versions.
  • CVE-2024-38441
    • Severity: High
    • Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[len] to '\0' in FPMapName in afp_mapname in etc/afpd/directory.c. 2.4.1 and 3.1.19 are also fixed versions.

Reference


Revision

Revision Date Description
1 2024-09-24 Initial public release.
2 2024-09-27 Release ADM 4.3.2.R9Q2 to update Netatalk version for fixing the issues.