Login Sign Up

CVE-2024-38439

9.8 CRITICAL
Remote Code Execution Denial of Service Buffer Overflow

📋 TL;DR

CVE-2024-38439 is a critical heap-based buffer overflow vulnerability in Netatalk's PAM authentication module. An attacker can exploit this to execute arbitrary code or crash the service, potentially gaining remote code execution. All systems running vulnerable Netatalk versions with PAM authentication enabled are affected.

💻 Affected Systems

Products:
  • Netatalk
Versions: All versions before 2.4.1, 3.1.19, and 3.2.1
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations with PAM authentication module enabled (uams_pam.so).

📦 What is this software?

Netatalk by Netatalk

View all CVEs affecting Netatalk →

Netatalk by Netatalk

View all CVEs affecting Netatalk →

Netatalk by Netatalk

View all CVEs affecting Netatalk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with root privileges, allowing complete system compromise and lateral movement within the network.

🟠

Likely Case

Service crash leading to denial of service, or remote code execution with the privileges of the Netatalk process.

🟢

If Mitigated

Denial of service if exploit attempts are blocked or fail, with no code execution.

🌐 Internet-Facing: HIGH - Netatalk services exposed to the internet are directly vulnerable to remote exploitation.
🏢 Internal Only: HIGH - Internal attackers or compromised systems can exploit this vulnerability to escalate privileges or move laterally.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The vulnerability is in the authentication flow, allowing unauthenticated attackers to trigger the buffer overflow during login attempts.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.1, 3.1.19, or 3.2.1

Vendor Advisory: https://netatalk.io/security/CVE-2024-38439

Restart Required: Yes

Instructions:

1. Stop Netatalk service. 2. Update to patched version using package manager or compile from source. 3. Restart Netatalk service.

🔧 Temporary Workarounds

Disable PAM authentication

linux

Remove or disable the vulnerable uams_pam.so module from Netatalk configuration

Edit /etc/netatalk/afp.conf and remove 'uams_pam.so' from uams list
Restart netatalk: systemctl restart netatalk

🧯 If You Can't Patch

  • Implement network segmentation to isolate Netatalk servers from critical systems
  • Deploy intrusion prevention systems (IPS) to detect and block exploit attempts

🔍 How to Verify

Check if Vulnerable:

Check Netatalk version with 'netatalk -v' or 'afpd -v' and compare against affected versions

Check Version:

netatalk -v 2>/dev/null || afpd -v 2>/dev/null || dpkg -l | grep netatalk || rpm -qa | grep netatalk

Verify Fix Applied:

Confirm version is 2.4.1, 3.1.19, or 3.2.1 or higher

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed authentication attempts with malformed credentials
  • Netatalk service crashes or restarts

Network Indicators:

  • Unusual traffic to Netatalk port 548/tcp (AFP) or 427/udp (SLP)

SIEM Query:

source="netatalk.log" AND ("authentication failed" OR "segmentation fault" OR "buffer overflow")

📊 Metadata

CVE ID: CVE-2024-38439
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: June 16, 2024
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-38439, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)