CVE-2022-23125
published 2023-03-28CVE-2022-23125: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
4.35%
90.0th percentile
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the copyapplfile function. When parsing the len element, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15869.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | netatalk | < netatalk 3.1.12~ds-8+deb11u1 (bullseye) | netatalk 3.1.12~ds-8+deb11u1 (bullseye) |
| netatalk | netatalk | < 3.1.13 | 3.1.13 |
| netatalk | netatalk | — | — |
| netatalk | netatalk | >= 0 < 3.1.12~ds-8+deb11u1 | 3.1.12~ds-8+deb11u1 |
| netatalk | netatalk | >= 0 < 3.1.13~ds-1 | 3.1.13~ds-1 |
| netatalk | netatalk | >= 0 < 3.1.13~ds-1 | 3.1.13~ds-1 |
| netatalk | netatalk | >= 0 < 3.1.12~ds-4ubuntu0.20.04.1 | 3.1.12~ds-4ubuntu0.20.04.1 |
| netatalk | netatalk | >= 0 < 3.1.12~ds-9ubuntu0.22.04.1 | 3.1.12~ds-9ubuntu0.22.04.1 |
| netatalk | netatalk | >= 0 < 2.2.2-1ubuntu2.2+esm1 | 2.2.2-1ubuntu2.2+esm1 |
| netatalk | netatalk | >= 0 < 2.2.5-1ubuntu0.2+esm1 | 2.2.5-1ubuntu0.2+esm1 |
| netatalk | netatalk | >= 0 < 2.2.6-1ubuntu0.18.04.2+esm1 | 2.2.6-1ubuntu0.18.04.2+esm1 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerable function is `copyapplfile`. Monitor for exploitation attempts targeting this function in Netatalk, which involves sending a crafted `appl` tag with an oversized `len` element to trigger a stack-based buffer overflow without authentication. ↗
- →No authentication is required to exploit this vulnerability. Any unauthenticated network connection to a Netatalk service should be treated as a potential exploitation attempt if followed by anomalous stack activity or root-level process spawning. ↗
- →The exploit vector involves crafting a file with a malicious `appl` tag whose length field exceeds the maximum buffer size used by Netatalk, triggering the overflow during a file copy operation. Detect oversized `appl` tag length values in AFP (Apple Filing Protocol) traffic. ↗
- →Successful exploitation results in code execution as root. Monitor Netatalk processes for unexpected child process spawning or privilege escalation events (e.g., shells spawned by the Netatalk daemon running as root). ↗
- ·Debian bullseye users should upgrade to the fixed package version 3.1.12~ds-8+deb11u1; forky, sid, and trixie are fixed in 3.1.13~ds-1. ↗
- ·This vulnerability does not affect any supported Red Hat product. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
netatalk vulnerabilities
osv·2023-06-08·CVSS 8.8
CVE-2021-31439 [HIGH] netatalk vulnerabilities
netatalk vulnerabilities
It was discovered that Netatalk did not properly validate the length of
user-supplied data in the DSI structures. A remote attacker could possibly
use this issue to execute arbitrary code with the privileges of the user
invoking the programs. This issue only affected Ubuntu 20.04 LTS and Ubuntu
22.04 LTS. (CVE-2021-31439)
It was discovered that Netatalk did not properly validate the length of
user-supplied data in the ad_addcomment function. A remote attacker could
possibly use this issue to execute arbitrary code with root privileges.
This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2022-0194)
It was discovered that Netatalk did not properly handle errors when parsing
AppleDouble entries. A remote attacker could possibly use this issue to
ex
GHSA
GHSA-fv63-w4rc-jg74: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk
ghsa_unreviewed·2023-03-28
CVE-2022-23125 [CRITICAL] CWE-121 GHSA-fv63-w4rc-jg74: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the copyapplfile function. When parsing the len element, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15869.
OSV
CVE-2022-23125: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk
osv·2023-03-28·CVSS 9.8
CVE-2022-23125 [CRITICAL] CVE-2022-23125: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the copyapplfile function. When parsing the len element, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15869.
OSV
CVE-2022-23125: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk
osv·2022-03-21·CVSS 9.8
CVE-2022-23125 [CRITICAL] CVE-2022-23125: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the copyapplfile function. When parsing the len element, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15869. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the copyapplfile function. When parsing the len element, the process does not properly validate the length
VulnCheck
netatalk netatalk Stack-based Buffer Overflow
vulncheck·2022·CVSS 9.8
CVE-2022-23125 [CRITICAL] netatalk netatalk Stack-based Buffer Overflow
netatalk netatalk Stack-based Buffer Overflow
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the copyapplfile function. When parsing the len element, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15869.
Affected: netatalk netatalk
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/vulncheck-cana
Ubuntu
Netatalk vulnerabilities
vendor_ubuntu·2023-06-08·CVSS 8.8
CVE-2022-23123 [HIGH] Netatalk vulnerabilities
Title: Netatalk vulnerabilities
Summary: Several security issues were fixed in Netatalk.
It was discovered that Netatalk did not properly validate the length of
user-supplied data in the DSI structures. A remote attacker could possibly
use this issue to execute arbitrary code with the privileges of the user
invoking the programs. This issue only affected Ubuntu 20.04 LTS and Ubuntu
22.04 LTS. (CVE-2021-31439)
It was discovered that Netatalk did not properly validate the length of
user-supplied data in the ad_addcomment function. A remote attacker could
possibly use this issue to execute arbitrary code with root privileges.
This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
(CVE-2022-0194)
It was discovered that Netatalk did not properly handle errors when parsing
AppleDoub
Red Hat
netatalk: Netatalk: Remote Code Execution via Buffer Overflow in copyapplfile function
vendor_redhat·2023-03-28·CVSS 9.8
CVE-2022-23125 [CRITICAL] CWE-121 netatalk: Netatalk: Remote Code Execution via Buffer Overflow in copyapplfile function
netatalk: Netatalk: Remote Code Execution via Buffer Overflow in copyapplfile function
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the copyapplfile function. When parsing the len element, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15869.
A flaw was found in Netatalk. This vulnerability allows remote attackers to execute arbitrary code (Remote Code Execution) in the context of root via improper validation of user-supplied data length prior to copying it
Debian
CVE-2022-23125: netatalk - This vulnerability allows remote attackers to execute arbitrary code on affected...
vendor_debian·2022·CVSS 9.8
CVE-2022-23125 [CRITICAL] CVE-2022-23125: netatalk - This vulnerability allows remote attackers to execute arbitrary code on affected...
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the copyapplfile function. When parsing the len element, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15869.
Scope: local
bullseye: resolved (fixed in 3.1.12~ds-8+deb11u1)
forky: resolved (fixed in 3.1.13~ds-1)
sid: resolved (fixed in 3.1.13~ds-1)
trixie: resolved (fixed in 3.1.13~ds-1)
No detection rules found.
No public exploits indexed.
https://lists.debian.org/debian-lts-announce/2023/05/msg00018.htmlhttps://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.htmlhttps://security.gentoo.org/glsa/202311-02https://www.debian.org/security/2023/dsa-5503https://www.zerodayinitiative.com/advisories/ZDI-22-526/https://lists.debian.org/debian-lts-announce/2023/05/msg00018.htmlhttps://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.htmlhttps://security.gentoo.org/glsa/202311-02https://www.debian.org/security/2023/dsa-5503https://www.kb.cert.org/vuls/id/709991https://www.zerodayinitiative.com/advisories/ZDI-22-526/
2023-03-28
Published
Exploited in the wild