cbcvebase.
CVE-2022-23125
published 2023-03-28

CVE-2022-23125: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
4.35%
90.0th percentile
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the copyapplfile function. When parsing the len element, the process does not properly validate the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15869.

Affected

13 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debiannetatalk< netatalk 3.1.12~ds-8+deb11u1 (bullseye)netatalk 3.1.12~ds-8+deb11u1 (bullseye)
netatalknetatalk< 3.1.133.1.13
netatalknetatalk
netatalknetatalk>= 0 < 3.1.12~ds-8+deb11u13.1.12~ds-8+deb11u1
netatalknetatalk>= 0 < 3.1.13~ds-13.1.13~ds-1
netatalknetatalk>= 0 < 3.1.13~ds-13.1.13~ds-1
netatalknetatalk>= 0 < 3.1.12~ds-4ubuntu0.20.04.13.1.12~ds-4ubuntu0.20.04.1
netatalknetatalk>= 0 < 3.1.12~ds-9ubuntu0.22.04.13.1.12~ds-9ubuntu0.22.04.1
netatalknetatalk>= 0 < 2.2.2-1ubuntu2.2+esm12.2.2-1ubuntu2.2+esm1
netatalknetatalk>= 0 < 2.2.5-1ubuntu0.2+esm12.2.5-1ubuntu0.2+esm1
netatalknetatalk>= 0 < 2.2.6-1ubuntu0.18.04.2+esm12.2.6-1ubuntu0.18.04.2+esm1

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerable function is `copyapplfile`. Monitor for exploitation attempts targeting this function in Netatalk, which involves sending a crafted `appl` tag with an oversized `len` element to trigger a stack-based buffer overflow without authentication.
  • No authentication is required to exploit this vulnerability. Any unauthenticated network connection to a Netatalk service should be treated as a potential exploitation attempt if followed by anomalous stack activity or root-level process spawning.
  • The exploit vector involves crafting a file with a malicious `appl` tag whose length field exceeds the maximum buffer size used by Netatalk, triggering the overflow during a file copy operation. Detect oversized `appl` tag length values in AFP (Apple Filing Protocol) traffic.
  • Successful exploitation results in code execution as root. Monitor Netatalk processes for unexpected child process spawning or privilege escalation events (e.g., shells spawned by the Netatalk daemon running as root).
  • ·Debian bullseye users should upgrade to the fixed package version 3.1.12~ds-8+deb11u1; forky, sid, and trixie are fixed in 3.1.13~ds-1.
  • ·This vulnerability does not affect any supported Red Hat product.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.