Netatalk CVE-2018-1160 Arbitrary Code Execution Vulnerability

Bugtraq ID:	106301
Class:	Input Validation Error
CVE:	CVE-2018-1160
Remote:	Yes
Local:	No
Published:	Dec 20 2018 12:00AM
Updated:	Dec 20 2018 12:00AM
Credit:	Jacob Baines
Vulnerable:	Slackware Slackware Linux 14.2 Slackware Slackware Linux 14.1 Slackware Slackware Linux 14.0 Netatalk Netatalk 3.1.11 Netatalk Netatalk 3.1 Netatalk Netatalk 2.0.4 Netatalk Netatalk 3.0 Netatalk Netatalk 2.2 Debian Linux 6.0 sparc Debian Linux 6.0 s/390 Debian Linux 6.0 powerpc Debian Linux 6.0 mips Debian Linux 6.0 ia-64 Debian Linux 6.0 ia-32 Debian Linux 6.0 ia-30 Debian Linux 6.0 arm Debian Linux 6.0 amd64 Debian Linux 6
Not Vulnerable:	Netatalk Netatalk 3.1.12

Netatalk CVE-2018-1160 Arbitrary Code Execution Vulnerability

Netatalk is prone to an arbitrary code-execution vulnerability.

A remote attacker may exploit this issue to execute arbitrary code in the context of the affected application. Failed attempts will likely cause a denial-of-service condition.

Versions prior to Netatalk 3.1.12 are vulnerable.

Netatalk CVE-2018-1160 Arbitrary Code Execution Vulnerability

The researcher has created a proof-of-concept to demonstrate the issue. Please see the references for more information.

Netatalk CVE-2018-1160 Arbitrary Code Execution Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Netatalk CVE-2018-1160 Arbitrary Code Execution Vulnerability

References:

• Netatalk 3.1.12 (Netatalk)
  
• Netatalk Authentication Bypass (Tenable)
  
• Netatalk Homepage (Netatalk)
  
• Tenable POC (Tenable)
  
• [R2] Netatalk Out-of-bounds Write (Tenable)
  
• DSA-4356-1 netatalk -- security update (Debian)