Bug 24072 - netatalk new security issue CVE-2018-1160
Summary: netatalk new security issue CVE-2018-1160
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-12-26 01:55 CET by David Walser
Modified: 2019-02-03 20:38 CET (History)
9 users (show)

See Also:
Source RPM: netatalk-3.1.11-3.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-12-26 01:55:57 CET
Debian has issued an advisory on December 20:
https://www.debian.org/security/2018/dsa-4356

The issue is fixed upstream in 3.1.12:
http://netatalk.sourceforge.net/3.1/ReleaseNotes3.1.12.html

Mageia 6 is also affected.
David Walser 2018-12-26 01:56:04 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-12-26 08:08:23 CET
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Also CC'ing some committers.

CC: (none) => cjw, geiger.david68210, guillomovitch, mageia, marja11, shlomif
Assignee: bugsquad => pkg-bugs

Comment 2 David GEIGER 2018-12-26 10:21:57 CET
Fixed both Cauldron and mga6!
Comment 3 David Walser 2018-12-26 16:08:34 CET
Advisory:
========================

Updated netatalk packages fix security vulnerability:

Jacob Baines discovered a flaw in the handling of the DSI Opensession command in
Netatalk, allowing an unauthenticated user to execute arbitrary code with root
privileges (CVE-2018-1160).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1160
http://netatalk.sourceforge.net/3.1/ReleaseNotes3.1.12.html
https://www.debian.org/security/2018/dsa-4356
========================

Updated packages in core/updates_testing:
========================
netatalk-3.1.12-1.mga6
libnetatalk18-3.1.12-1.mga6
libnetatalk-devel-3.1.12-1.mga6

from netatalk-3.1.12-1.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
Assignee: pkg-bugs => qa-bugs

Comment 4 Lewis Smith 2019-01-06 20:54:51 CET
Another heavy update.
"Netatalk is a freely-available Open Source AFP file server. It also provides a
kernel level implementation of the AppleTalk Protocol Suite. A *NIX/*BSD system
running Netatalk is capable of serving many Macintosh clients simultaneously
as an AppleShare file server (AFP), AppleTalk router, *NIX/*BSD print server,
and for accessing AppleTalk printers via Printer Access Protocol (PAP).
Included are a number of minor printing and debugging utilities."

The 1st CVE ref:
 https://www.exploit-db.com/exploits/46034
lists a lengthy (but very nicely written) C program to drive the software & test the exploit. Not for us, I think.
The 2nd CVE reference:
 https://www.exploit-db.com/exploits/46048
has something much more compact, but enigmatic.

Another CVE ref:
 https://github.com/tenable/poc/tree/master/netatalk/cve_2018_1160/
looks more promising - if you have the server set up. It references a script:
 https://github.com/tenable/poc/blob/master/netatalk/cve_2018_1160/pea.py
with a "Usage example" of same; and on the same local network, so it might work for same machine. Perhaps to try.

CC: (none) => lewyssmith

Comment 5 Lewis Smith 2019-01-06 21:21:50 CET
Forgot to check this out, but in fact we have not had an update to test on this before.
Comment 6 Herman Viaene 2019-01-10 15:05:40 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues
Did a little reading on http://netatalk.sourceforge.net/3.1/htmldocs/configuration.html
Changed /etc/netatalk/afp.conf to contain 
basedir regex = /home
in an attempt to make sure there is at least one sensible thing in it, then at CLI:
# systemctl -l status netatalk
● netatalk.service - Netatalk AFP fileserver for Macintosh clients
   Loaded: loaded (/usr/lib/systemd/system/netatalk.service; enabled; vendor preset: enabled)
   Active: inactive (dead)
     Docs: man:afp.conf(5)
           man:netatalk(8)
           man:afpd(8)
           man:cnid_metad(8)
           man:cnid_dbd(8)
           http://netatalk.sourceforge.net/
[root@mach6 ~]# systemctl  start netatalk
[root@mach6 ~]# systemctl -l status netatalk
● netatalk.service - Netatalk AFP fileserver for Macintosh clients
   Loaded: loaded (/usr/lib/systemd/system/netatalk.service; enabled; vendor preset: enabled)
   Active: active (running) since do 2019-01-10 14:54:18 CET; 4s ago
     Docs: man:afp.conf(5)
           man:netatalk(8)
           man:afpd(8)
           man:cnid_metad(8)
           man:cnid_dbd(8)
           http://netatalk.sourceforge.net/
  Process: 5224 ExecStart=/usr/sbin/netatalk (code=exited, status=0/SUCCESS)
 Main PID: 5226 (netatalk)
   CGroup: /system.slice/netatalk.service
           ├─5226 /usr/sbin/netatalk
           ├─5228 /usr/sbin/afpd -d -F /etc/netatalk//afp.conf
           └─5229 /usr/sbin/cnid_metad -d -F /etc/netatalk//afp.conf

jan 10 14:54:18 mach6.hviaene.thuis systemd[1]: netatalk.service: PID file /var/lock/netatalk not r
jan 10 14:54:18 mach6.hviaene.thuis systemd[1]: Started Netatalk AFP fileserver for Macintosh clien
jan 10 14:54:18 mach6.hviaene.thuis netatalk[5226]: Netatalk AFP server starting
jan 10 14:54:18 mach6.hviaene.thuis netatalk[5226]: Registered with Zeroconf
jan 10 14:54:18 mach6.hviaene.thuis cnid_metad[5229]: CNID Server listening on localhost:4700
jan 10 14:54:18 mach6.hviaene.thuis afpd[5228]: uam_load(uams_dhx.so): failed to load: /usr/lib/ata
jan 10 14:54:18 mach6.hviaene.thuis afpd[5228]: uam: uams_dhx.so load failure
jan 10 14:54:18 mach6.hviaene.thuis afpd[5228]: uam_load(uams_dhx2.so): failed to load: /usr/lib/at
jan 10 14:54:18 mach6.hviaene.thuis afpd[5228]: uam: uams_dhx2.so load failure
jan 10 14:54:18 mach6.hviaene.thuis afpd[5228]: Netatalk AFP/TCP listening on 192.168.2.6:548
So it runs, but to make something really usefull of it, I would need to
1. delve into Apple config parameters
2. have an Apple system to test against.

I dnon't have pt2 and I really see myself going into pt1.

Leaving OK'ing to the higher powers, but I will not object.

CC: (none) => herman.viaene

Comment 7 Lewis Smith 2019-01-13 21:09:53 CET
I will look at this tomorrow (Mon), surely in a minimalist manner like Herman did. I have studied the pea.py script (c4 last URL), and fell at the 'Known addresses' bunch, which I do not understand at all: "The addresses below will need to be changed for a different target". It is beautifully done, though.
Comment 8 Lewis Smith 2019-01-14 13:04:32 CET
Testing M6/64
@Herman: Thanks for the config page URL.

Not so simple... BEFORE the update:
* lib[64]netatalk18 does not exist, installed just 'netatalk-2.2.3-11.mga6'
* The files in /etc/netatalk/ do not correspond to afp.conf:
 # ls /etc/netatalk/
 afpd.conf      AppleVolumes.default  atalkd.conf    papd.conf
 afp_ldap.conf  AppleVolumes.system   netatalk.conf
and neither afpd.conf nor netatalk.conf have anything resembling 'basedir', which does not even exist in the entire directory.

 # systemctl start netatalk
 # systemctl status netatalk
● netatalk.service - File and Printer sharing for Macintosh clients
   Loaded: loaded (/usr/lib/systemd/system/netatalk.service; enabled; vendor pre
   Active: active (exited) since Llu 2019-01-14 12:35:42 CET; 10s ago
  Process: 4277 ExecStart=/bin/sh -c exec /usr/libexec/netatalk/netatalk.sh (cod
 Main PID: 4277 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/netatalk.service
           ├─4283 /usr/sbin/cnid_metad -l log_note
           └─4286 /usr/sbin/afpd -U uams_dhx.so,uams_dhx2.so -g nobody -c 20 -n 
Ion 14 12:35:42 localhost.localdomain systemd[1]: Starting File and Printer shar
Ion 14 12:35:42 localhost.localdomain systemd[1]: Started File and Printer shari
Ion 14 12:35:42 localhost.localdomain afpd[4286]: AFP/TCP started, advertising 1
 # systemctl stop netatalk
---------------------------------------------------------
The UPDATE:
This is a major jump, from 2.2.3 to 3.1.12
Selecting just 'netatalk' to update also pulled in (good):
- lib64netatalk18-3.1.12-1.mga6.x86_64
- perl-IO-Socket-INET6-2.720.0-6.mga6.noarch
along with
- netatalk-3.1.12-1.mga6.x86_64

*Problem*: Failed to do transaction 1
A problem arose while installing package:
 file /usr/share/doc/netatalk/config.example from install of
 netatalk-4:3.1.12-1.mga6.x86_64 conflicts with file from package
 netatalk-4:2.2.3-11.mga6.x86_64
I had not looked here beforehand. In fact 'file' = *directory*, at this point:
 $ ls -l /usr/share/doc/netatalk/config.example/
-rw-r--r-- 1 root root 20106 Chw  12  2016 afpd.conf
-rw-r--r-- 1 root root  9615 Chw  12  2016 AppleVolumes.default
-rw-r--r-- 1 root root 25682 Ebr  26  2012 AppleVolumes.system
-rw-r--r-- 1 root root  1059 Ebr   4  2012 atalkd.conf
-rw-r--r-- 1 root root  2016 Ebr  26  2012 netatalk.conf
-rw-r--r-- 1 root root   334 Rha   5  2011 netatalk.pam-system-auth
-rw-r--r-- 1 root root  1479 Ebr   4  2012 papd.conf
 which all look pre-update
 # CONFIGURATION FOR AFPD (Netatalk 2.x in afpd.conf

The update did not happen. Asking for 'feedback'.

Keywords: (none) => feedback

Comment 9 David Walser 2019-01-19 16:54:34 CET
The package will need a %pretrans that deletes /usr/share/doc/netatalk/config.example
Comment 10 David Walser 2019-02-01 22:37:59 CET
Actually the issue came from the SPEC copying SOURCE2 (netatalk.pam-system-auth) to config.example, which it assumed was a directory (which it used to be), and because the cp command didn't have a / at the end, which would have caught this issue, it copied netatalk.pam-system-auth to a *file* called config.example, which replaced the directory.  The correct fix was to just retain the file's original name and install it as such.

Fixed in netatalk-3.1.12-1.1.mga6.

Keywords: feedback => (none)

Comment 11 Lewis Smith 2019-02-02 12:07:17 CET
(In reply to David Walser from comment #10)
> Fixed in netatalk-3.1.12-1.1.mga6.
Thank you David.

M6/64:
Repeating the update from comment 8:
- lib64netatalk18-3.1.12-1.1.mga6.x86_64
- netatalk-3.1.12-1.1.mga6.x86_64
- perl-IO-Socket-INET6-2.720.0-6.mga6.noarch
worked fine.

Following Herman c6:
 Changed /etc/netatalk/afp.conf to contain 
basedir regex = /home
 [and for good measure]
path = /home/lewis

# systemctl stop netatalk
# systemctl start netatalk
# systemctl status netatalk
● netatalk.service - Netatalk AFP fileserver for Macintosh clients
   Loaded: loaded (/usr/lib/systemd/system/netatalk.service; enabled; vendor pre
   Active: active (running) since Sad 2019-02-02 11:36:17 CET; 7s ago
     Docs: man:afp.conf(5)
           man:netatalk(8)
           man:afpd(8)
           man:cnid_metad(8)
           man:cnid_dbd(8)
           http://netatalk.sourceforge.net/
  Process: 23138 ExecStart=/usr/sbin/netatalk (code=exited, status=0/SUCCESS)
 Main PID: 23140 (netatalk)
   CGroup: /system.slice/netatalk.service
           ├─23140 /usr/sbin/netatalk
           ├─23141 /usr/sbin/afpd -d -F /etc/netatalk//afp.conf
           └─23143 /usr/sbin/cnid_metad -d -F /etc/netatalk//afp.conf

Chw 02 11:36:17 localhost.localdomain systemd[1]: netatalk.service: PID file /va
Chw 02 11:36:17 localhost.localdomain netatalk[23140]: Netatalk AFP server start
Chw 02 11:36:17 localhost.localdomain netatalk[23140]: Registered with Zeroconf
Chw 02 11:36:17 localhost.localdomain systemd[1]: Started Netatalk AFP fileserve
Chw 02 11:36:17 localhost.localdomain afpd[23141]: uam_load(uams_dhx.so): failed
Chw 02 11:36:17 localhost.localdomain afpd[23141]: uam: uams_dhx.so load failure
Chw 02 11:36:17 localhost.localdomain afpd[23141]: uam_load(uams_dhx2.so): faile
Chw 02 11:36:17 localhost.localdomain afpd[23141]: uam: uams_dhx2.so load failur
Chw 02 11:36:17 localhost.localdomain cnid_metad[23143]: CNID Server listening o
Chw 02 11:36:17 localhost.localdomain afpd[23141]: Netatalk AFP/TCP listening on
 [the 4 'uam' fail lines in red]
which is very different from before, but the same as Herman got comment 6 from the package installation..
# ps -ax | grep afpd
23141 ?        S      0:00 /usr/sbin/afpd -d -F /etc/netatalk//afp.conf

I am unsure about the failures re 'uams_dhx.so' & 'uams_dhx2.so'. Do these matter? Mentioned in:
 http://netatalk.sourceforge.net/2.0/htmldocs/afpd.conf.5.html
Authentication Methods
-uamlist [uams list]
 [but there is no /etc/netatalk/afpd.conf ; should there be?].

I might try later the pea.py test, the last mentioned in comment 4; not with any hope, though. What do you others think to the 'clean update' we now have? Anyone doing this would need to re-configure the software anyway, I think.
Comment 12 Lewis Smith 2019-02-02 21:08:06 CET
> I might try later the pea.py test, the last mentioned in c4;
I had already looked at it: comment 7 ...
So I think this has to be OK'd as-is; advisory done from comments 3 + 10.

Keywords: (none) => advisory, validated_update
Whiteboard: (none) => MGA6-64-OK
CC: (none) => sysadmin-bugs

Comment 13 Mageia Robot 2019-02-03 20:38:20 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0061.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.