cbcvebase.
CVE-2022-0194
published 2023-03-28

CVE-2022-0194: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
4.41%
90.1th percentile
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the ad_addcomment function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15876.

Affected

13 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiannetatalk< netatalk 3.1.12~ds-8+deb11u1 (bullseye)netatalk 3.1.12~ds-8+deb11u1 (bullseye)
netatalknetatalk< 3.1.133.1.13
netatalknetatalk
netatalknetatalk>= 0 < 3.1.12~ds-8+deb11u13.1.12~ds-8+deb11u1
netatalknetatalk>= 0 < 3.1.13~ds-13.1.13~ds-1
netatalknetatalk>= 0 < 3.1.13~ds-13.1.13~ds-1
netatalknetatalk>= 0 < 3.1.12~ds-4ubuntu0.20.04.13.1.12~ds-4ubuntu0.20.04.1
netatalknetatalk>= 0 < 3.1.12~ds-9ubuntu0.22.04.13.1.12~ds-9ubuntu0.22.04.1
netatalknetatalk>= 0 < 2.2.2-1ubuntu2.2+esm12.2.2-1ubuntu2.2+esm1
netatalknetatalk>= 0 < 2.2.5-1ubuntu0.2+esm12.2.5-1ubuntu0.2+esm1
netatalknetatalk>= 0 < 2.2.6-1ubuntu0.18.04.2+esm12.2.6-1ubuntu0.18.04.2+esm1

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerable function is `ad_addcomment` in Netatalk — monitor for exploitation attempts targeting this function via unauthenticated remote requests to the AFP (Apple Filing Protocol) service
  • No authentication is required to exploit this vulnerability — any unauthenticated connection to the Netatalk AFP service should be treated as potentially malicious and monitored for oversized comment field data
  • Successful exploitation results in code execution as root — monitor for unexpected root-level process spawning from the Netatalk (afpd) daemon process
  • ·Debian bullseye fix is available in version 3.1.12~ds-8+deb11u1; forky, sid, and trixie are fixed in 3.1.13~ds-1 — installations running older versions remain vulnerable

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.