CVE-2022-0194
📋 TL;DR
CVE-2022-0194 is a critical stack-based buffer overflow vulnerability in Netatalk's ad_addcomment function that allows unauthenticated remote attackers to execute arbitrary code as root. This affects Netatalk installations that are exposed to network access. The vulnerability stems from improper length validation of user-supplied data before copying to a fixed buffer.
💻 Affected Systems
- Netatalk
📦 What is this software?
Netatalk by Netatalk
⚠️ Risk & Real-World Impact
Worst Case
Remote unauthenticated attacker gains full root-level code execution on the vulnerable system, potentially leading to complete system compromise, data theft, and lateral movement.
Likely Case
Remote code execution leading to system compromise, installation of backdoors, cryptocurrency miners, or ransomware.
If Mitigated
If proper network segmentation and access controls are in place, impact is limited to the affected Netatalk service and potentially the host system.
🎯 Exploit Status
ZDI published advisory ZDI-22-530 with technical details. The vulnerability is straightforward to exploit due to lack of authentication requirements.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.1.13 and later
Vendor Advisory: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
Restart Required: Yes
Instructions:
1. Update Netatalk to version 3.1.13 or later using your distribution's package manager. 2. Restart the Netatalk service. 3. Verify the update was successful.
🔧 Temporary Workarounds
Disable Netatalk Service
linuxTemporarily disable the Netatalk AFP service if immediate patching is not possible.
sudo systemctl stop netatalk
sudo systemctl disable netatalk
Network Segmentation
linuxRestrict network access to Netatalk service using firewall rules.
sudo iptables -A INPUT -p tcp --dport 548 -j DROP
sudo iptables -A INPUT -p udp --dport 548 -j DROP
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure to trusted IP addresses only.
- Monitor for exploitation attempts and unusual process activity on affected systems.
🔍 How to Verify
Check if Vulnerable:
Check Netatalk version with: netatalk -v or dpkg -l | grep netatalkCheck Version:
netatalk -vVerify Fix Applied:
Verify version is 3.1.13 or higher: netatalk -v | grep -q '3.1.1[3-9]\|3.[2-9]' && echo 'Patched'📡 Detection & Monitoring
Log Indicators:
- Unusual connection attempts to port 548 (AFP)
- Process crashes of netatalk service
- Suspicious shell commands from netatalk process
Network Indicators:
- Unusual traffic patterns to/from port 548
- Exploit payload patterns in network traffic
SIEM Query:
source="netatalk.log" AND ("segmentation fault" OR "buffer overflow" OR "ad_addcomment")🔗 References
- https://lists.debian.org/debian-lts-announce/2023/05/msg00018.html
- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
- https://security.gentoo.org/glsa/202311-02
- https://www.debian.org/security/2023/dsa-5503
- https://www.zerodayinitiative.com/advisories/ZDI-22-530/
- https://lists.debian.org/debian-lts-announce/2023/05/msg00018.html
- https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html
- https://security.gentoo.org/glsa/202311-02
- https://www.debian.org/security/2023/dsa-5503
- https://www.kb.cert.org/vuls/id/709991
- https://www.zerodayinitiative.com/advisories/ZDI-22-530/
