Heap-based buffer overflow vulnerability in Netatalk 3.2.0 due to incorrect use of FPLoginExt
CVE-2024-38440

7.5HIGH

Key Information:

Vendor: Netatalk
Status: Netatalk
Vendor: CVE Published:; 16 June 2024

What is CVE-2024-38440?

The vulnerability in Netatalk arises from an off-by-one error leading to a heap-based buffer overflow. This flaw is triggered by improper validation of user-provided data, specifically during the FPLoginExt operation in the BN_bin2bn function located in the file /etc/uams/uams_dhx_pam.c. When certain configurations are in place, the exploitation of this issue may allow reading of adjacent memory, causing a Denial of Service (DoS) under specific heap layouts, particularly when AddressSanitizer (ASAN) is enabled.

References

https://github.com/Netatalk/netatalk/issues/1097

https://github.com/Netatalk/netatalk/blob/90d91a9ac9a7d61...

https://github.com/Netatalk/netatalk/security/advisories/...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 16, 2024
Vulnerability Reserved
Jun 16, 2024

CVE-2024-38440 Data

JSON