Netatalk, a server that implements the AppleTalk and Apple Filing Protocol (AFP) network protocols, has six remotely exploitable vulnerabilities that allow you to organize the execution of your code as root by sending specially crafted packets. Netatalk is used by many manufacturers of storage devices (NAS) to provide file sharing and printer access from Apple computers, for example, it was used in Western Digital devices (the problem was solved by removing Netatalk from WD firmware). Netatalk is also included with many distributions, including OpenWRT (removed as of the OpenWrt 22.03 branch), Debian, Ubuntu, SUSE, Fedora, and FreeBSD, but is not used by default. Issues are fixed in Netatalk 3.1.13 release.
Issues identified:
- CVE-2022-0194 - External data size not properly checked in ad_addcomment() before copying to a fixed buffer. The vulnerability allows a remote attacker without authentication to achieve the execution of his code as root.
- CVE-2022-23121 - Incorrect handling of errors in the parse_entries() function that occur when parsing AppleDouble entries. The vulnerability allows a remote attacker without authentication to achieve the execution of his code as root.
- CVE-2022-23122 - The setfilparams() function does not correctly check the size of external data before copying it to a fixed buffer. The vulnerability allows a remote attacker without authentication to achieve the execution of his code as root.
- CVE-2022-23124 - The get_finderinfo() method did not properly validate input, resulting in reading from an area outside of the allocated buffer. The vulnerability allows a remote attacker without authentication to leak information from the process memory. In combination with other vulnerabilities, the bug could also be used to execute code as root.
- CVE-2022-23125 - No size check when parsing "len" element in copyapplfile() before copying data to fixed buffer. The vulnerability allows a remote attacker without authentication to achieve the execution of his code as root.
- CVE-2022-23123 - Missing validation of incoming data in the getdirparams() method, resulting in reading from an area outside the allocated buffer. The vulnerability allows a remote attacker without authentication to leak information from the process memory.
Source: opennet.ru