CVE-2022-43634 — Heap-based Buffer Overflow in Netatalk

CWE-122 — Heap-based Buffer Overflow6 documents5 sources

Severity

9.8CRITICALNVD

OSV8.8

EPSS

4.0%

top 11.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Netatalk Debian Netatalk

Timeline

PublishedMar 29

Latest updateJun 8

Description

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within the dsi_writeinit function. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-17646.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/netatalk< netatalk 3.1.12~ds-8+deb11u1 (bullseye)

▶Debiannetatalk/netatalk< 3.1.12~ds-8+deb11u1+2

▶Ubuntunetatalk/netatalk< 3.1.12~ds-4ubuntu0.20.04.1+4

▶NVDnetatalk/netatalk3.1.13

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

netatalk vulnerabilities↗2023-06-08

▶

GHSA

GHSA-fwj9-7qq8-jc93: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk↗2023-03-29

▶

OSV

CVE-2022-43634: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk↗2023-03-29

▶

📋Vendor Advisories

Ubuntu

Netatalk vulnerabilities↗2023-06-08

▶

Debian

CVE-2022-43634: netatalk - This vulnerability allows remote attackers to execute arbitrary code on affected...↗2022

▶