Lucene search

K

Debian DSA-5503-1 : netatalk - security update

Debian DSA-5503-1: netatalk - multiple vulnerabilitie

Show more
Related
Refs
Code
#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dsa-5503. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('compat.inc');

if (description)
{
  script_id(181731);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/23");

  script_cve_id(
    "CVE-2021-31439",
    "CVE-2022-0194",
    "CVE-2022-23121",
    "CVE-2022-23122",
    "CVE-2022-23123",
    "CVE-2022-23124",
    "CVE-2022-23125",
    "CVE-2022-43634",
    "CVE-2022-45188",
    "CVE-2023-42464"
  );

  script_name(english:"Debian DSA-5503-1 : netatalk - security update");

  script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
  script_set_attribute(attribute:"description", value:
"The remote Debian 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the
dsa-5503 advisory.

  - This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations
    of Synology DiskStation Manager. Authentication is not required to exploit this vulnerablity. The specific
    flaw exists within the processing of DSI structures in Netatalk. The issue results from the lack of proper
    validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can
    leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-12326.
    (CVE-2021-31439)

  - This vulnerability allows remote attackers to execute arbitrary code on affected installations of
    Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within
    the ad_addcomment function. The issue results from the lack of proper validation of the length of user-
    supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this
    vulnerability to execute code in the context of root. Was ZDI-CAN-15876. (CVE-2022-0194)

  - This vulnerability allows remote attackers to execute arbitrary code on affected installations of
    Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within
    the parse_entries function. The issue results from the lack of proper error handling when parsing
    AppleDouble entries. An attacker can leverage this vulnerability to execute code in the context of root.
    Was ZDI-CAN-15819. (CVE-2022-23121)

  - This vulnerability allows remote attackers to execute arbitrary code on affected installations of
    Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within
    the setfilparams function. The issue results from the lack of proper validation of the length of user-
    supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this
    vulnerability to execute code in the context of root. Was ZDI-CAN-15837. (CVE-2022-23122)

  - This vulnerability allows remote attackers to disclose sensitive information on affected installations of
    Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within
    the getdirparams method. The issue results from the lack of proper validation of user-supplied data, which
    can result in a read past the end of an allocated buffer. An attacker can leverage this in conjunction
    with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-CAN-15830.
    (CVE-2022-23123)

  - This vulnerability allows remote attackers to disclose sensitive information on affected installations of
    Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within
    the get_finderinfo method. The issue results from the lack of proper validation of user-supplied data,
    which can result in a read past the end of an allocated buffer. An attacker can leverage this in
    conjunction with other vulnerabilities to execute arbitrary code in the context of root. Was ZDI-
    CAN-15870. (CVE-2022-23124)

  - This vulnerability allows remote attackers to execute arbitrary code on affected installations of
    Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within
    the copyapplfile function. When parsing the len element, the process does not properly validate the length
    of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage
    this vulnerability to execute code in the context of root. Was ZDI-CAN-15869. (CVE-2022-23125)

  - This vulnerability allows remote attackers to execute arbitrary code on affected installations of
    Netatalk. Authentication is not required to exploit this vulnerability. The specific flaw exists within
    the dsi_writeinit function. The issue results from the lack of proper validation of the length of user-
    supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this
    vulnerability to execute code in the context of root. Was ZDI-CAN-17646. (CVE-2022-43634)

  - Netatalk through 3.1.13 has an afp_getappl heap-based buffer overflow resulting in code execution via a
    crafted .appl file. This provides remote root access on some platforms such as FreeBSD (used for TrueNAS).
    (CVE-2022-45188)

  - A Type Confusion vulnerability was found in the Spotlight RPC functions in afpd in Netatalk 3.1.x before
    3.1.17. When parsing Spotlight RPC packets, one encoded data structure is a key-value style dictionary
    where the keys are character strings, and the values can be any of the supported types in the underlying
    protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns
    the object associated with a key, a malicious actor may be able to fully control the value of the pointer
    and theoretically achieve Remote Code Execution on the host. This issue is similar to CVE-2023-34967.
    (CVE-2023-42464)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1051066");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/netatalk");
  script_set_attribute(attribute:"see_also", value:"https://www.debian.org/security/2023/dsa-5503");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-31439");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-0194");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-23121");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-23122");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-23123");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-23124");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-23125");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-43634");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-45188");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2023-42464");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/bullseye/netatalk");
  script_set_attribute(attribute:"solution", value:
"Upgrade the netatalk packages.");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-31439");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2023-42464");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/05/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/09/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/09/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:netatalk");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Debian Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);

var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(11)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 11.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);

var pkgs = [
    {'release': '11.0', 'prefix': 'netatalk', 'reference': '3.1.12~ds-8+deb11u1'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var _release = NULL;
  var prefix = NULL;
  var reference = NULL;
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (_release && prefix && reference) {
    if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : deb_report_get()
  );
  exit(0);
}
else
{
  var tested = deb_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'netatalk');
}

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo