cbcvebase.
CVE-2018-1160
published 2018-12-20

CVE-2018-1160: Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
86.54%
99.7th percentile
Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.

Affected

11 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiannetatalk< netatalk 2.2.6-2 (bullseye)netatalk 2.2.6-2 (bullseye)
netatalknetatalk< 3.1.123.1.12
netatalknetatalk
netatalknetatalk>= 0 < 2.2.6-22.2.6-2
netatalknetatalk>= 0 < 2.2.6-22.2.6-2
netatalknetatalk>= 0 < 2.2.6-22.2.6-2
synologydiskstation_manager>= 5.2 < 5.2-5967-95.2-5967-9
synologydiskstation_manager>= 6.1 < 6.1.7-15284-36.1.7-15284-3
synologydiskstation_manager>= 6.2 < 6.2.1-23824-46.2.1-23824-4
synologyrouter_manager>= 1.2 < 1.2-7742-51.2-7742-5

Detection & IOCsextracted from sources · hover to see the quote

port548
commandDSI OpenSession command byte: \x04 (open session command) with attnquant option \x01 and oversized length to trigger OOB write in dsi_opensess.c
bytes
DSI OpenSession exploit payload: \x00\x04\x00\x01\x00\x00\x00\x00\x00\x00\x00\x1a\x00\x00\x00\x00\x01\x18\xad\xaa\xaa\xba\xef\xbe\xad\xde\xfe\xca\x1d\xc0\xce\xfa\xed\xfe
bytes
DSI OpenSession PoC payload: \x00\x00\x40\x00\x00\x00\x00\x00 + 0xdeadbeef + 0xfeedface + 0x63b660
  • The exploit targets TCP port 548 (AFP/DSI protocol). Monitor for unauthenticated DSI OpenSession packets (command byte 0x04) containing an attnquant option (0x01) with an oversized length field that exceeds bounds — this is the trigger for the OOB write in dsi_opensess.c.
  • Detect exploitation attempts by looking for DSI OpenSession packets on port 548 where the attnquant option byte (0x01) is followed by a length byte of 0x18 (24 bytes) and the payload contains recognizable canary values such as \xad\xaa\xaa\xba, \xef\xbe\xad\xde, \xfe\xca\x1d\xc0, or \xce\xfa\xed\xfe used to overwrite internal Netatalk structures.
  • After the exploit DSI OpenSession phase, watch for a follow-up AFP command packet (DSI command byte 0x02) with AFP function index byte 0x11 (25th entry in pre_auth table), which is used to invoke arbitrary code via the overwritten commands pointer — this two-stage pattern (OpenSession exploit + AFP 0x11 dispatch) is characteristic of CVE-2018-1160 exploitation.
  • The vulnerability is in dsi_opensess.c; any crash or unexpected termination of the Netatalk afpd process following a DSI OpenSession request from an unauthenticated source should be treated as a potential exploitation attempt.
  • ·The hardcoded memory addresses in the exploit (preauth_switch_base, afp_getsrvrparms, etc.) are specific to a Netatalk build compiled for x86_64 Seagate NAS OS. Exploiting other targets requires re-deriving these addresses, meaning byte-signature detection based on these specific addresses will only match the Seagate-targeted variant.
  • ·The vulnerability affects Netatalk versions before 3.1.12. Debian resolved it in package version 2.2.6-2 across bullseye, forky, sid, and trixie. Detection and patching scope should account for both upstream and downstream package versioning differences.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.