CVE-2018-1160

Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 99%
Affected Products (NVD)
VendorProductVersion
netatalknetatalk
𝑥
< 3.1.12
synologyrouter_manager
1.2 ≤
𝑥
< 1.2-7742-5
synologyskynas
-
synologydiskstation_manager
5.2 ≤
𝑥
< 5.2-5967-9
synologydiskstation_manager
6.1 ≤
𝑥
< 6.1.7-15284-3
synologydiskstation_manager
6.2 ≤
𝑥
< 6.2.1-23824-4
synologyvs960hd_firmware
-
debiandebian_linux
9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
netatalk
bullseye
3.1.12~ds-8+deb11u1
fixed
bullseye (security)
3.1.12~ds-8+deb11u1
fixed
sid
4.0.3~ds-2
fixed
trixie
4.0.3~ds-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
netatalk
bionic
Fixed 2.2.6-1ubuntu0.18.04.2
released
cosmic
Fixed 2.2.6-1ubuntu0.18.10.2
released
disco
ignored
eoan
not-affected
focal
not-affected
trusty
Fixed 2.2.2-1ubuntu2.2
released
xenial
Fixed 2.2.5-1ubuntu0.2
released
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libatalk12
suse enterprise desktop 12 SP3
3.1.0-3.3.1
fixed
suse enterprise desktop 12 SP4
3.1.0-3.3.1
fixed
suse enterprise sap 12 SP3
3.1.0-3.3.1
fixed
suse enterprise sap 12 SP4
3.1.0-3.3.1
fixed
suse enterprise sap 12 SP5
3.1.0-3.3.1
fixed
suse enterprise server 12 SP3
3.1.0-3.3.1
fixed
suse enterprise server 12 SP4
3.1.0-3.3.1
fixed
suse enterprise server 12 SP5
3.1.0-3.3.1
fixed
suse enterprise workstation 12 SP3
3.1.0-3.3.1
fixed
suse enterprise workstation 12 SP4
3.1.0-3.3.1
fixed
suse enterprise workstation 12 SP5
3.1.0-3.3.1
fixed
netatalk
suse enterprise desktop 12 SP3
3.1.0-3.3.1
fixed
suse enterprise desktop 12 SP4
3.1.0-3.3.1
fixed
suse enterprise sap 12 SP3
3.1.0-3.3.1
fixed
suse enterprise sap 12 SP4
3.1.0-3.3.1
fixed
suse enterprise sap 12 SP5
3.1.0-3.3.1
fixed
suse enterprise server 12 SP3
3.1.0-3.3.1
fixed
suse enterprise server 12 SP4
3.1.0-3.3.1
fixed
suse enterprise server 12 SP5
3.1.0-3.3.1
fixed
suse enterprise workstation 12 SP3
3.1.0-3.3.1
fixed
suse enterprise workstation 12 SP4
3.1.0-3.3.1
fixed
suse enterprise workstation 12 SP5
3.1.0-3.3.1
fixed
Common Weakness Enumeration
References
http://netatalk.sourceforge.net/3.1/ReleaseNotes3.1.12.html
http://packetstormsecurity.com/files/152440/QNAP-Netatalk-Authentication-Bypass.html
http://www.securityfocus.com/bid/106301
https://attachments.samba.org/attachment.cgi?id=14735
https://github.com/tenable/poc/tree/master/netatalk/cve_2018_1160/
https://www.debian.org/security/2018/dsa-4356
https://www.exploit-db.com/exploits/46034/
https://www.exploit-db.com/exploits/46048/
https://www.exploit-db.com/exploits/46675/
https://www.synology.com/security/advisory/Synology_SA_18_62
https://www.tenable.com/security/research/tra-2018-48
http://netatalk.sourceforge.net/3.1/ReleaseNotes3.1.12.html
http://packetstormsecurity.com/files/152440/QNAP-Netatalk-Authentication-Bypass.html
http://www.securityfocus.com/bid/106301
https://attachments.samba.org/attachment.cgi?id=14735
https://github.com/tenable/poc/tree/master/netatalk/cve_2018_1160/
https://www.debian.org/security/2018/dsa-4356
https://www.exploit-db.com/exploits/46034/
https://www.exploit-db.com/exploits/46048/
https://www.exploit-db.com/exploits/46675/
https://www.synology.com/security/advisory/Synology_SA_18_62
https://www.tenable.com/security/research/tra-2018-48