cbcvebase.
CVE-2022-23121
published 2023-03-28

CVE-2022-23121: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this…

PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
8.53%
94.4th percentile
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parse_entries function. The issue results from the lack of proper error handling when parsing AppleDouble entries. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15819.

Affected

13 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiannetatalk< netatalk 3.1.12~ds-8+deb11u1 (bullseye)netatalk 3.1.12~ds-8+deb11u1 (bullseye)
netatalknetatalk< 3.1.133.1.13
netatalknetatalk
netatalknetatalk>= 0 < 3.1.12~ds-8+deb11u13.1.12~ds-8+deb11u1
netatalknetatalk>= 0 < 3.1.13~ds-13.1.13~ds-1
netatalknetatalk>= 0 < 3.1.13~ds-13.1.13~ds-1
netatalknetatalk>= 0 < 3.1.12~ds-4ubuntu0.20.04.13.1.12~ds-4ubuntu0.20.04.1
netatalknetatalk>= 0 < 3.1.12~ds-9ubuntu0.22.04.13.1.12~ds-9ubuntu0.22.04.1
netatalknetatalk>= 0 < 2.2.2-1ubuntu2.2+esm12.2.2-1ubuntu2.2+esm1
netatalknetatalk>= 0 < 2.2.5-1ubuntu0.2+esm12.2.5-1ubuntu0.2+esm1
netatalknetatalk>= 0 < 2.2.6-1ubuntu0.18.04.2+esm12.2.6-1ubuntu0.18.04.2+esm1

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerable function is `parse_entries` in Netatalk; monitor for crashes or unexpected code execution originating from AppleDouble entry parsing in the Netatalk AFP daemon (afpd), particularly from unauthenticated remote connections.
  • No authentication is required to trigger this vulnerability; any unauthenticated connection to the Netatalk AFP service attempting to send malformed AppleDouble entries should be treated as suspicious.
  • Successful exploitation results in code execution as root; monitor for unexpected root-level process spawning from the Netatalk/afpd process.
  • ·Debian bullseye fix is available; ensure Netatalk is updated to 3.1.12~ds-8+deb11u1 or later on bullseye systems.
  • ·Debian forky, sid, and trixie fix is available; ensure Netatalk is updated to 3.1.13~ds-1 or later.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.