Vulnerabilities > CVE-2018-1160 - Out-of-bounds Write vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
file exploits/multiple/remote/46034.py id EDB-ID:46034 last seen 2018-12-22 modified 2018-12-21 platform multiple port published 2018-12-21 reporter Exploit-DB source https://www.exploit-db.com/download/46034 title Netatalk < 3.1.12 - Authentication Bypass type remote file exploits/multiple/dos/46048.py id EDB-ID:46048 last seen 2018-12-25 modified 2018-12-21 platform multiple port published 2018-12-21 reporter Exploit-DB source https://www.exploit-db.com/download/46048 title Netatalk - Bypass Authentication type dos file exploits/multiple/remote/46675.py id EDB-ID:46675 last seen 2019-04-08 modified 2019-04-08 platform multiple port published 2019-04-08 reporter Exploit-DB source https://www.exploit-db.com/download/46675 title QNAP Netatalk < 3.1.12 - Authentication Bypass type remote
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-4217-1.NASL description This update for netatalk fixes the following issues : Security issue fixed : CVE-2018-1160 Fixed a missing bounds check in the handling of the DSI OPEN SESSION request, which allowed an unauthenticated to overwrite memory with data of their choice leading to arbitrary code execution with root privileges. (bsc#1119540) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 119870 published 2018-12-24 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119870 title SUSE SLED12 Security Update : netatalk (SUSE-SU-2018:4217-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2018:4217-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(119870); script_version("1.4"); script_cvs_date("Date: 2019/09/10 13:51:50"); script_cve_id("CVE-2018-1160"); script_xref(name:"TRA", value:"TRA-2018-48"); script_name(english:"SUSE SLED12 Security Update : netatalk (SUSE-SU-2018:4217-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for netatalk fixes the following issues : Security issue fixed : CVE-2018-1160 Fixed a missing bounds check in the handling of the DSI OPEN SESSION request, which allowed an unauthenticated to overwrite memory with data of their choice leading to arbitrary code execution with root privileges. (bsc#1119540) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1119540" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-1160/" ); # https://www.suse.com/support/update/announcement/2018/suse-su-20184217-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?2e6b0f63" ); script_set_attribute( attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2018-48" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Workstation Extension 12-SP4:zypper in -t patch SUSE-SLE-WE-12-SP4-2018-3027=1 SUSE Linux Enterprise Workstation Extension 12-SP3:zypper in -t patch SUSE-SLE-WE-12-SP3-2018-3027=1 SUSE Linux Enterprise Software Development Kit 12-SP4:zypper in -t patch SUSE-SLE-SDK-12-SP4-2018-3027=1 SUSE Linux Enterprise Software Development Kit 12-SP3:zypper in -t patch SUSE-SLE-SDK-12-SP3-2018-3027=1 SUSE Linux Enterprise Desktop 12-SP4:zypper in -t patch SUSE-SLE-DESKTOP-12-SP4-2018-3027=1 SUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-3027=1" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libatalk12"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:libatalk12-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:netatalk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:netatalk-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:netatalk-debugsource"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/20"); script_set_attribute(attribute:"patch_publication_date", value:"2018/12/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/24"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLED12" && (! preg(pattern:"^(3|4)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP3/4", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"libatalk12-3.1.0-3.3.1")) flag++; if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"libatalk12-debuginfo-3.1.0-3.3.1")) flag++; if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"netatalk-3.1.0-3.3.1")) flag++; if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"netatalk-debuginfo-3.1.0-3.3.1")) flag++; if (rpm_check(release:"SLED12", sp:"4", cpu:"x86_64", reference:"netatalk-debugsource-3.1.0-3.3.1")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"libatalk12-3.1.0-3.3.1")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"libatalk12-debuginfo-3.1.0-3.3.1")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"netatalk-3.1.0-3.3.1")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"netatalk-debuginfo-3.1.0-3.3.1")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"netatalk-debugsource-3.1.0-3.3.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "netatalk"); }NASL family Gain a shell remotely NASL id NETATALK_OPEN_SESSION_BOF.NASL description The Apple Filing Protocol (AFP) server running on the remote host is affected by a remote code execution vulnerability due to a buffer overflow condition when handling an OpenSession request. An unauthenticated, remote attacker can exploit this issue, via a specially crafted message, to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 119780 published 2018-12-20 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119780 title Netatalk OpenSession Remote Code Execution NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-1614.NASL description This update for netatalk fixes the following issues : Security issue fixed : - CVE-2018-1160 Fixed a missing bounds check in the handling of the DSI OPEN SESSION request, which allowed an unauthenticated to overwrite memory with data of their choice leading for arbitrary code execution with root privileges. (bsc#1119540) last seen 2020-06-05 modified 2018-12-31 plugin id 119946 published 2018-12-31 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119946 title openSUSE Security Update : netatalk (openSUSE-2018-1614) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4356.NASL description Jacob Baines discovered a flaw in the handling of the DSI Opensession command in Netatalk, an implementation of the AppleTalk Protocol Suite, allowing an unauthenticated user to execute arbitrary code with root privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 119817 published 2018-12-21 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119817 title Debian DSA-4356-1 : netatalk - security update NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2018-355-01.NASL description New netatalk packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix a security issue. last seen 2020-06-01 modified 2020-06-02 plugin id 119853 published 2018-12-24 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119853 title Slackware 14.0 / 14.1 / 14.2 / current : netatalk (SSA:2018-355-01) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_9C9023FF905711E9B76400505632D232.NASL description NIST reports : Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 125935 published 2019-06-17 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125935 title FreeBSD : netatalk3 -- remote code execution vulnerability (9c9023ff-9057-11e9-b764-00505632d232)
Packetstorm
data source https://packetstormsecurity.com/files/download/150891/netatalk-bypass.txt id PACKETSTORM:150891 last seen 2018-12-25 published 2018-12-21 reporter Jacob Baines source https://packetstormsecurity.com/files/150891/Netatalk-Authentication-Bypass.html title Netatalk Authentication Bypass data source https://packetstormsecurity.com/files/download/152440/qnapnetatalk-bypass.txt id PACKETSTORM:152440 last seen 2019-04-09 published 2019-04-05 reporter Jacob Baines source https://packetstormsecurity.com/files/152440/QNAP-Netatalk-Authentication-Bypass.html title QNAP Netatalk Authentication Bypass
Related news
References
- https://www.tenable.com/security/research/tra-2018-48
- https://github.com/tenable/poc/tree/master/netatalk/cve_2018_1160/
- https://attachments.samba.org/attachment.cgi?id=14735
- http://netatalk.sourceforge.net/3.1/ReleaseNotes3.1.12.html
- https://www.debian.org/security/2018/dsa-4356
- https://www.exploit-db.com/exploits/46034/
- https://www.synology.com/security/advisory/Synology_SA_18_62
- https://www.exploit-db.com/exploits/46048/
- http://www.securityfocus.com/bid/106301
- https://www.exploit-db.com/exploits/46675/
- http://packetstormsecurity.com/files/152440/QNAP-Netatalk-Authentication-Bypass.html