CVE-2022-23123 – CVE-2022-23123 is a critical out-of-bounds read... (How to Fix)

Q: What is the severity of CVE-2022-23123?

CVE-2022-23123 has a CVSS score of 9.8 (CRITICAL). CVE-2022-23123 is a critical out-of-bounds read vulnerability in Netatalk's getdirparams method that allows unauthenticated remote attackers to read sensitive memory contents. This information disclosure can be combined with other vulnerabilities to achieve remote code execution as root. All systems running vulnerable versions of Netatalk are affected.

📋 TL;DR

CVE-2022-23123 is a critical out-of-bounds read vulnerability in Netatalk's getdirparams method that allows unauthenticated remote attackers to read sensitive memory contents. This information disclosure can be combined with other vulnerabilities to achieve remote code execution as root. All systems running vulnerable versions of Netatalk are affected.

💻 Affected Systems

Products:

Netatalk

Versions: Versions before 3.1.13

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Netatalk is commonly used for Apple Filing Protocol (AFP) file sharing on Unix/Linux systems.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution as root leading to complete system compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Information disclosure that enables attackers to bypass ASLR and combine with other vulnerabilities for code execution.

🟢

If Mitigated

Limited information disclosure with no code execution if proper network segmentation and exploit mitigations are in place.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation makes internet-facing Netatalk instances extremely vulnerable.

🏢 Internal Only: HIGH - Even internally, this vulnerability can be exploited by attackers who gain network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

ZDI-CAN-15830 indicates coordinated vulnerability disclosure. While no public PoC exists, the vulnerability is well-documented and likely weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Netatalk 3.1.13 and later

Vendor Advisory: https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html

Restart Required: Yes

Instructions:

1. Stop Netatalk service. 2. Update to Netatalk 3.1.13 or later using your distribution's package manager. 3. Restart Netatalk service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Disable Netatalk Service

linux

Temporarily disable Netatalk if immediate patching isn't possible

sudo systemctl stop netatalk
sudo systemctl disable netatalk

Network Segmentation

linux

Restrict access to Netatalk ports (typically 548/tcp) using firewall rules

sudo iptables -A INPUT -p tcp --dport 548 -j DROP
sudo iptables -A INPUT -p tcp --dport 548 -s trusted_network -j ACCEPT

🧯 If You Can't Patch

Implement strict network access controls to limit exposure to Netatalk services
Deploy exploit mitigation technologies like ASLR and stack canaries if not already enabled

🔍 How to Verify

Check if Vulnerable:

Check Netatalk version with 'netatalk -v' or 'dpkg -l | grep netatalk' or 'rpm -qa | grep netatalk'

Check Version:

netatalk -v 2>/dev/null || dpkg -l | grep netatalk || rpm -qa | grep netatalk

Verify Fix Applied:

Confirm version is 3.1.13 or higher with 'netatalk -v' and check service is running properly

📡 Detection & Monitoring

Log Indicators:

Unusual connection attempts to AFP port 548
Multiple failed directory listing attempts
Memory access errors in system logs

Network Indicators:

Unusual traffic patterns to port 548/tcp
Multiple connection attempts from single sources
Abnormal AFP protocol requests

SIEM Query:

source_port:548 AND (event_type:connection_attempt OR protocol:afp) AND NOT trusted_source

📊 Metadata

CVE ID: CVE-2022-23123

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-125

Published: March 28, 2023

Last Updated: November 4, 2025

🔗 References

https://lists.debian.org/debian-lts-announce/2023/05/msg00018.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/08/msg00016.html Mailing List,Third Party Advisory
https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html Release Notes
https://security.gentoo.org/glsa/202311-02 Issue Tracking,Third Party Advisory
https://www.debian.org/security/2023/dsa-5503 Third Party Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-528/ Third Party Advisory,VDB Entry
https://lists.debian.org/debian-lts-announce/2023/05/msg00018.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/08/msg00016.html Mailing List,Third Party Advisory
https://netatalk.sourceforge.io/3.1/ReleaseNotes3.1.13.html Release Notes
https://security.gentoo.org/glsa/202311-02 Issue Tracking,Third Party Advisory
https://www.debian.org/security/2023/dsa-5503 Third Party Advisory
https://www.kb.cert.org/vuls/id/709991
https://www.zerodayinitiative.com/advisories/ZDI-22-528/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-23123, you might also want to check these: