Bug 30287 - netatalk new security issues CVE-2021-31439 and CVE-2022-2312[15]
Summary: netatalk new security issues CVE-2021-31439 and CVE-2022-2312[15]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 30288
  Show dependency treegraph
 
Reported: 2022-04-14 00:34 CEST by David Walser
Modified: 2022-05-22 13:27 CEST (History)
6 users (show)

See Also:
Source RPM: netatalk-3.1.12-7.mga8.src.rpm
CVE: CVE-2021-31439, CVE-2022-23121, CVE-2022-23125
Status comment:


Attachments
test connection (10.42 KB, text/x-matlab)
2022-04-16 11:18 CEST, Herman Viaene
Details
pea.py to python3 (10.47 KB, text/x-matlab)
2022-04-21 21:45 CEST, papoteur
Details

Description David Walser 2022-04-14 00:34:04 CEST
SUSE has issued an advisory today (April 13):
https://lists.suse.com/pipermail/sle-security-updates/2022-April/010700.html

The issues are fixed upstream in 3.1.13.

3.1.13 also has fixes for CVE-2022-0194 and CVE-2022-2312[2-4], but the patch that fixed those issues caused a regression, so SUSE reverted it for their update.

Mageia 8 is also affected.
David Walser 2022-04-14 00:34:39 CEST

Status comment: (none) => Fixed upstream in 3.1.13
Whiteboard: (none) => MGA8TOO

David Walser 2022-04-14 00:35:28 CEST

Blocks: (none) => 30288

Comment 1 Lewis Smith 2022-04-14 08:48:33 CEST
This package has no formal maintainer, but am assigning this (& its companion 30288) to DavidG who commited version: 3.1.12 - over 3y ago!

Assignee: bugsquad => geiger.david68210

Comment 2 Nicolas Salguero 2022-04-14 14:10:42 CEST
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Remote arbitrary code execution related to dsi_stream_receive(). (CVE-2021-31439)

Remote arbitrary code execution related to parse_entries(). (CVE-2022-23121)

Remote arbitrary code execution related to copyapplfile(). (CVE-2022-23125)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31439
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23121
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23125
https://lists.suse.com/pipermail/sle-security-updates/2022-April/010700.html
========================

Updated packages in core/updates_testing:
========================
lib(64)netatalk18-3.1.12-7.1.mga8
lib(64)netatalk-devel-3.1.12-7.1.mga8
netatalk-3.1.12-7.1.mga8

from SRPM:
netatalk-3.1.12-7.1.mga8.src.rpm

CVE: (none) => CVE-2021-31439, CVE-2022-23121, CVE-2022-23125
Status comment: Fixed upstream in 3.1.13 => (none)
Whiteboard: MGA8TOO => (none)
CC: (none) => nicolas.salguero
Source RPM: netatalk-3.1.12-9.mga9.src.rpm => netatalk-3.1.12-7.mga8.src.rpm
Version: Cauldron => 8
Status: NEW => ASSIGNED
Assignee: geiger.david68210 => qa-bugs

Comment 3 Herman Viaene 2022-04-16 11:18:04 CEST
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
Ref bug 26347 Comment 3 for testing.
# systemctl  start netatalk
# systemctl -l status netatalk
● netatalk.service - Netatalk AFP fileserver for Macintosh clients
     Loaded: loaded (/usr/lib/systemd/system/netatalk.service; disabled; vendor preset: disabled)
     Active: active (running) since Sat 2022-04-16 10:48:33 CEST; 19s ago
       Docs: man:afp.conf(5)
             man:netatalk(8)
             man:afpd(8)
             man:cnid_metad(8)
             man:cnid_dbd(8)
             http://netatalk.sourceforge.net/
    Process: 7250 ExecStart=/usr/sbin/netatalk (code=exited, status=0/SUCCESS)
   Main PID: 7252 (netatalk)
      Tasks: 4 (limit: 9402)
     Memory: 3.3M
        CPU: 325ms
     CGroup: /system.slice/netatalk.service
             ├─7252 /usr/sbin/netatalk
             ├─7253 /usr/sbin/afpd -d -F /etc/netatalk/afp.conf
             └─7254 /usr/sbin/cnid_metad -d -F /etc/netatalk/afp.conf

apr 16 10:48:33 mach5.hviaene.thuis systemd[1]: Starting Netatalk AFP fileserver for Macintosh clients...
apr 16 10:48:33 mach5.hviaene.thuis systemd[1]: netatalk.service: Can't open PID file /var/lock/netatalk (yet?) after start: Operation not permitted
apr 16 10:48:33 mach5.hviaene.thuis netatalk[7252]: Netatalk AFP server starting
apr 16 10:48:33 mach5.hviaene.thuis cnid_metad[7254]: CNID Server listening on localhost:4700
apr 16 10:48:33 mach5.hviaene.thuis systemd[1]: Started Netatalk AFP fileserver for Macintosh clients.
apr 16 10:48:33 mach5.hviaene.thuis netatalk[7252]: Registered with Zeroconf
apr 16 10:48:33 mach5.hviaene.thuis afpd[7253]: Netatalk AFP/TCP listening on 100.116.48.30:548

Then downloaded the pea.py file from bug 26347, but ran into error:
print "[+] Sending exploit to overwrite preauth_switch data."
          ^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print("[+] Sending exploit to overwrite preauth_switch data.")?
I went thru the file and changed all print statements inserting the missing brackets - I will upload the chaneged file
Then running again:
$ python pea.py -i 100.116.48.30 -lv
[+] Attempting connection to 100.116.48.30:548
[+] Connected!
[+] Sending exploit to overwrite preauth_switch data.
Traceback (most recent call last):
  File "pea.py", line 286, in <module>
    do_exploit(sock)
  File "pea.py", line 46, in do_exploit
    sock.sendall(data)
TypeError: a bytes-like object is required, not 'str'
And here I must give up for lack of knowledge how to repair this error, but apparently the connection was made.
So I leave it to others to either mend the pea.py file or to decide this test is good enough.

CC: (none) => herman.viaene

Comment 4 Herman Viaene 2022-04-16 11:18:59 CEST
Created attachment 13219 [details]
test connection
Comment 5 papoteur 2022-04-21 21:45:21 CEST
Created attachment 13224 [details]
pea.py to python3

Hi Herman,
the source was in Python 2 and you try now to use it in Python 3.
Either launch it with the python2 command, or try the quick port I have made, without been able to test, to Python3.
What I have done is to declare sequences of code to send as bytes, with the b prefix. If I missed some of them, you know what to do.

CC: (none) => yves.brungard_mageia

Comment 6 Herman Viaene 2022-05-03 16:49:43 CEST
Tried again with python2 and original pea.py
$ python2 pea.py  -i 192.168.2.5 -lv
[+] Attempting connection to 192.168.2.5:548
[+] Connected!
[+] Sending exploit to overwrite preauth_switch data.
[+] Listing volumes
Traceback (most recent call last):
  File "pea.py", line 288, in <module>
    list_volumes(sock)
  File "pea.py", line 116, in list_volumes
    afp_data = parse_dsi(resp, 1)
  File "pea.py", line 87, in parse_dsi
    (flags, command, req_id, error_code, length, reserved) = struct.unpack_from('>BBHIII', payload)
struct.error: unpack_from requires a buffer of at least 16 bytes
The ip address is the own laptop wit firewall open.
Comment 7 Thomas Andrews 2022-05-21 14:15:22 CEST
I'm going to OK this based on the clean install and the successful connection. If the error express in the last two lines of Comment 6 is reason enough to remove that OK, please do so. 

For all I know, that error may mean that it is working properly. I don't own anything Apple, so can't investigate it myself.

Validating. Advisory in Comment 2.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK

Dave Hodgins 2022-05-22 04:20:13 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Mageia Robot 2022-05-22 13:27:38 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0196.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.