CVE-2024-38440.html.in

<div id="content">
<h1>Netatalk Security Advisory</h1>

<dl>
<dt><strong>Subject</strong></dt>
<dd>Heap out-of-bounds write in uams_dhx_pam.c</dd>
<dt><strong>CVE ID</strong></dt>
<dd><a href="https://www.cve.org/CVERecord?id=CVE-2024-38440">CVE-2024-38440</a></dd>
<dt><strong>Date of Publishing</strong></dt>
<dd>2024/06/28</dd>
<dt><strong>Affected Netatalk Versions</strong></dt>
<dd>3.2.0<br>3.0.0 - 3.1.18<br>1.5.0 - 2.4.0</dd>
<dt><strong>Summary</strong></dt>
<dd>Lack of user input validation can lead to an out-of-bounds heap write</dd>
</dl>
<h2>Description</h2>
<p>This vulnerability arises due to a lack of validation for the length field after parsing user-provided data,
leading to an out-of-bounds heap write of one byte (\0). Under specific configurations,
this can result in reading metadata of the next heap block,
potentially causing a Denial of Service (DoS) under certain heap layouts or with ASAN enabled.</p>

<p>The vulnerable code paths are thought to have been added in the version 1.5.0
release cycle of Netatalk.</p>

<h2>Patch Availability</h2>
<p>Apply the patch with git hash
<a href="https://github.com/Netatalk/netatalk/commit/77b5d99007cfef4d73d76fd6f0c26584891608e5.diff">
77b5d99</a> to hotfix your local Netatalk deployment.</p>

<p>Additionally, Netatalk 2.4.1, 3.1.19, and 3.2.1 have been released which include the security patch.
Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.</p>

<h2>CVSS Calculation</h2>
<p>CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L (7.3)</p>

<h2>Workaround</h2>
<p>Disable the uams_dhx.so authentication module in your afp.conf file.</p>

<h2>Credits</h2>
<dl>
<dt>Vulnerability found and reported by:</dt>
<dd>flysoar</dd>
<dt>Patch developed by:</dt>
<dd>Daniel Markstedt of the Netatalk team</dd>
</dl>

</div>