CVE-2018-1160
📋 TL;DR
CVE-2018-1160 is a critical vulnerability in Netatalk that allows remote unauthenticated attackers to execute arbitrary code due to an out-of-bounds write in dsi_opensess.c. It affects systems running Netatalk versions before 3.1.12, commonly used for Apple Filing Protocol (AFP) file sharing on Unix-like systems. This can lead to full system compromise if exploited.
💻 Affected Systems
- Netatalk
📦 What is this software?
Netatalk by Netatalk
Skynas by Synology
⚠️ Risk & Real-World Impact
Worst Case
Remote attacker gains full control of the system, enabling data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Attackers exploit the vulnerability to install malware, create backdoors, or disrupt services on vulnerable Netatalk servers.
If Mitigated
With proper network segmentation and access controls, impact is limited to the isolated server, preventing broader network compromise.
🎯 Exploit Status
Exploit code is publicly available, making it easy for attackers to leverage; references include proof-of-concept repositories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.1.12 or later
Vendor Advisory: http://netatalk.sourceforge.net/3.1/ReleaseNotes3.1.12.html
Restart Required: Yes
Instructions:
1. Update Netatalk to version 3.1.12 or later using your package manager (e.g., apt-get upgrade netatalk on Debian/Ubuntu). 2. Restart the Netatalk service to apply the patch.
🔧 Temporary Workarounds
Disable Netatalk Service
linuxTemporarily stop and disable the Netatalk service to prevent exploitation until patching is possible.
sudo systemctl stop netatalk
sudo systemctl disable netatalk
Block Network Access
linuxUse firewall rules to restrict access to the Netatalk service (typically TCP/UDP ports 548, 427, and 201-206).
sudo iptables -A INPUT -p tcp --dport 548 -j DROP
sudo iptables -A INPUT -p udp --dport 548 -j DROP
🧯 If You Can't Patch
- Isolate the vulnerable system in a segmented network zone to limit exposure.
- Implement strict access controls and monitor for unusual activity on Netatalk services.
🔍 How to Verify
Check if Vulnerable:
Check the Netatalk version; if it is below 3.1.12, the system is vulnerable.Check Version:
netatalk -v or dpkg -l | grep netatalk on Debian-based systemsVerify Fix Applied:
After updating, confirm the version is 3.1.12 or later and test that the Netatalk service runs without issues.📡 Detection & Monitoring
Log Indicators:
- Unusual connections or errors in Netatalk logs (e.g., /var/log/netatalk.log)
- Failed authentication attempts or out-of-bounds write errors
Network Indicators:
- Suspicious traffic to TCP/UDP ports 548, 427, or 201-206 from untrusted sources
SIEM Query:
Example: source="netatalk.log" AND (error OR "out of bounds" OR "dsi_opensess")🔗 References
- http://netatalk.sourceforge.net/3.1/ReleaseNotes3.1.12.html
- http://packetstormsecurity.com/files/152440/QNAP-Netatalk-Authentication-Bypass.html
- http://www.securityfocus.com/bid/106301
- https://attachments.samba.org/attachment.cgi?id=14735
- https://github.com/tenable/poc/tree/master/netatalk/cve_2018_1160/
- https://www.debian.org/security/2018/dsa-4356
- https://www.exploit-db.com/exploits/46034/
- https://www.exploit-db.com/exploits/46048/
- https://www.exploit-db.com/exploits/46675/
- https://www.synology.com/security/advisory/Synology_SA_18_62
- https://www.tenable.com/security/research/tra-2018-48
- http://netatalk.sourceforge.net/3.1/ReleaseNotes3.1.12.html
- http://packetstormsecurity.com/files/152440/QNAP-Netatalk-Authentication-Bypass.html
- http://www.securityfocus.com/bid/106301
- https://attachments.samba.org/attachment.cgi?id=14735
- https://github.com/tenable/poc/tree/master/netatalk/cve_2018_1160/
- https://www.debian.org/security/2018/dsa-4356
- https://www.exploit-db.com/exploits/46034/
- https://www.exploit-db.com/exploits/46048/
- https://www.exploit-db.com/exploits/46675/
- https://www.synology.com/security/advisory/Synology_SA_18_62
- https://www.tenable.com/security/research/tra-2018-48
