Vulnerabilities > CVE-2018-1160 - Out-of-bounds Write vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
netatalk
synology
debian
CWE-787
critical
nessus
exploit available

Summary

Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.

Vulnerable Configurations

Part Description Count
Application
Netatalk
62
Application
Synology
71
OS
Synology
1
OS
Debian
1
Hardware
Synology
1

Common Weakness Enumeration (CWE)

Exploit-Db

  • fileexploits/multiple/remote/46034.py
    idEDB-ID:46034
    last seen2018-12-22
    modified2018-12-21
    platformmultiple
    port
    published2018-12-21
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/46034
    titleNetatalk < 3.1.12 - Authentication Bypass
    typeremote
  • fileexploits/multiple/dos/46048.py
    idEDB-ID:46048
    last seen2018-12-25
    modified2018-12-21
    platformmultiple
    port
    published2018-12-21
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/46048
    titleNetatalk - Bypass Authentication
    typedos
  • fileexploits/multiple/remote/46675.py
    idEDB-ID:46675
    last seen2019-04-08
    modified2019-04-08
    platformmultiple
    port
    published2019-04-08
    reporterExploit-DB
    sourcehttps://www.exploit-db.com/download/46675
    titleQNAP Netatalk < 3.1.12 - Authentication Bypass
    typeremote

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-4217-1.NASL
    descriptionThis update for netatalk fixes the following issues : Security issue fixed : CVE-2018-1160 Fixed a missing bounds check in the handling of the DSI OPEN SESSION request, which allowed an unauthenticated to overwrite memory with data of their choice leading to arbitrary code execution with root privileges. (bsc#1119540) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id119870
    published2018-12-24
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119870
    titleSUSE SLED12 Security Update : netatalk (SUSE-SU-2018:4217-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:4217-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(119870);
      script_version("1.4");
      script_cvs_date("Date: 2019/09/10 13:51:50");
    
      script_cve_id("CVE-2018-1160");
      script_xref(name:"TRA", value:"TRA-2018-48");
    
      script_name(english:"SUSE SLED12 Security Update : netatalk (SUSE-SU-2018:4217-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for netatalk fixes the following issues :
    
    Security issue fixed :
    
    CVE-2018-1160 Fixed a missing bounds check in the handling of the DSI
    OPEN SESSION request, which allowed an unauthenticated to overwrite
    memory with data of their choice leading to arbitrary code execution
    with root privileges. (bsc#1119540)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1119540"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-1160/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20184217-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?2e6b0f63"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.tenable.com/security/research/tra-2018-48"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Workstation Extension 12-SP4:zypper in -t patch
    SUSE-SLE-WE-12-SP4-2018-3027=1
    
    SUSE Linux Enterprise Workstation Extension 12-SP3:zypper in -t patch
    SUSE-SLE-WE-12-SP3-2018-3027=1
    
    SUSE Linux Enterprise Software Development Kit 12-SP4:zypper in -t
    patch SUSE-SLE-SDK-12-SP4-2018-3027=1
    
    SUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t
    patch SUSE-SLE-SDK-12-SP3-2018-3027=1
    
    SUSE Linux Enterprise Desktop 12-SP4:zypper in -t patch
    SUSE-SLE-DESKTOP-12-SP4-2018-3027=1
    
    SUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch
    SUSE-SLE-DESKTOP-12-SP3-2018-3027=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libatalk12");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libatalk12-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:netatalk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:netatalk-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:netatalk-debugsource");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/20");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/12/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/24");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLED12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLED12" && (! preg(pattern:"^(3|4)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP3/4", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"libatalk12-3.1.0-3.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"libatalk12-debuginfo-3.1.0-3.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"netatalk-3.1.0-3.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"netatalk-debuginfo-3.1.0-3.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"netatalk-debugsource-3.1.0-3.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"libatalk12-3.1.0-3.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"libatalk12-debuginfo-3.1.0-3.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"netatalk-3.1.0-3.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"netatalk-debuginfo-3.1.0-3.3.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"netatalk-debugsource-3.1.0-3.3.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "netatalk");
    }
    
  • NASL familyGain a shell remotely
    NASL idNETATALK_OPEN_SESSION_BOF.NASL
    descriptionThe Apple Filing Protocol (AFP) server running on the remote host is affected by a remote code execution vulnerability due to a buffer overflow condition when handling an OpenSession request. An unauthenticated, remote attacker can exploit this issue, via a specially crafted message, to execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id119780
    published2018-12-20
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119780
    titleNetatalk OpenSession Remote Code Execution
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-1614.NASL
    descriptionThis update for netatalk fixes the following issues : Security issue fixed : - CVE-2018-1160 Fixed a missing bounds check in the handling of the DSI OPEN SESSION request, which allowed an unauthenticated to overwrite memory with data of their choice leading for arbitrary code execution with root privileges. (bsc#1119540)
    last seen2020-06-05
    modified2018-12-31
    plugin id119946
    published2018-12-31
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119946
    titleopenSUSE Security Update : netatalk (openSUSE-2018-1614)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4356.NASL
    descriptionJacob Baines discovered a flaw in the handling of the DSI Opensession command in Netatalk, an implementation of the AppleTalk Protocol Suite, allowing an unauthenticated user to execute arbitrary code with root privileges.
    last seen2020-06-01
    modified2020-06-02
    plugin id119817
    published2018-12-21
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119817
    titleDebian DSA-4356-1 : netatalk - security update
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2018-355-01.NASL
    descriptionNew netatalk packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix a security issue.
    last seen2020-06-01
    modified2020-06-02
    plugin id119853
    published2018-12-24
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119853
    titleSlackware 14.0 / 14.1 / 14.2 / current : netatalk (SSA:2018-355-01)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_9C9023FF905711E9B76400505632D232.NASL
    descriptionNIST reports : Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id125935
    published2019-06-17
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125935
    titleFreeBSD : netatalk3 -- remote code execution vulnerability (9c9023ff-9057-11e9-b764-00505632d232)

Packetstorm