Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[len] to '\0' in FPMapName in afp_mapname in etc/afpd/directory.c. 2.4.1 and 3.1.19 are also fixed versions.
The vulnerability occurs in the afp_mapname function in the file etc/afpd/directory.c, where setting ibuf[len] to a null character ('\0') extends one byte beyond the proper buffer boundary (off-by-one error, CWE-193). This results in writing one byte beyond the allocated heap area, causing a heap-based buffer overflow. Since the vulnerability is accessible over the network without authentication and requires no user interaction, an attacker can send a specially crafted AFP request to the Netatalk service, triggering the vulnerable code path.
An attacker can gain full control of the system, including access to sensitive data, ability to modify data, and cause service unavailability (high impact on confidentiality, integrity, and availability).
Netatalk should be updated to version 3.2.1, 2.4.1, or 3.1.19 (depending on the branch used). If immediate update is not possible, it is recommended to restrict access to the AFP service (port 548/TCP) exclusively to trusted hosts using a firewall or ACL lists.
Netatalk in versions prior to 3.2.1; patched versions include 2.4.1 and 3.1.19
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HNetatalk
APPNetatalk3.2.02.0.0 – 2.4.1 (bez)3.0 – 3.1.19 (bez)
Related vulnerabilities
Netatalk: heap-based buffer overflow w obsłudze logowania FPLoginExt
A Type Confusion vulnerability was found in the Spotlight RPC functions in afpd in Netatalk 3.1.x before 3.1.1...
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Au...
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Au...
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk. Au...