CVE-2024-38440
CVE-2024-38440 is a high-severity vulnerability in Netatalk with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-193.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- EPSS exploit prediction: 1% (55th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-37332
- Weakness: CWE-193
- Affected product: Netatalk
- Published:
- Last modified:
Description
Netatalk before 3.2.1 has an off-by-one error, and resultant heap-based buffer overflow and segmentation violation, because of incorrectly using FPLoginExt in BN_bin2bn in etc/uams/uams_dhx_pam.c. The original issue 1097 report stated: 'The latest version of Netatalk (v3.2.0) contains a security vulnerability. This vulnerability arises due to a lack of validation for the length field after parsing user-provided data, leading to an out-of-bounds heap write of one byte (\0). Under specific configurations, this can result in reading metadata of the next heap block, potentially causing a Denial of Service (DoS) under certain heap layouts or with ASAN enabled. ... The vulnerability is located in the FPLoginExt operation of Netatalk, in the BN_bin2bn function found in /etc/uams/uams_dhx_pam.c ... if (!(bn = BN_bin2bn((unsigned char *)ibuf, KEYSIZE, NULL))) ... threads ... [#0] Id 1, Name: "afpd", stopped 0x7ffff4304e58 in ?? (), reason: SIGSEGV ... [#0] 0x7ffff4304e58 mov BYTE PTR [r14+0x8], 0x0 ... mov rdx, QWORD PTR [rsp+0x18] ... afp_login_ext(obj=<optimized out>, ibuf=0x62d000010424 "", ibuflen=0xffffffffffff0015, rbuf=<optimized out>, rbuflen=<optimized out>) ... afp_over_dsi(obj=0x5555556154c0 <obj>).' 2.4.1 and 3.1.19 are also fixed versions.
Frequently asked questions
- What is CVE-2024-38440?
- Netatalk before 3.2.1 has an off-by-one error, and resultant heap-based buffer overflow and segmentation violation, because of incorrectly using FPLoginExt in BN_bin2bn in etc/uams/uams_dhx_pam.c. The original issue 1097 report stated: 'The latest version of Netatalk (v3.2.0) contains a security vulnerability. This vulnerability arises due to a lack of validation for the length field after parsing user-provided data, leading to an out-of-bounds heap write of one byte (\0). Under specific configurations, this can result in reading metadata of the next heap block, potentially causing a Denial of Service (DoS) under certain heap layouts or with ASAN enabled. ... The vulnerability is located in the FPLoginExt operation of Netatalk, in the BN_bin2bn function found in /etc/uams/uams_dhx_pam.c ... if (!(bn = BN_bin2bn((unsigned char *)ibuf, KEYSIZE, NULL))) ... threads ... [#0] Id 1, Name: "afpd", stopped 0x7ffff4304e58 in ?? (), reason: SIGSEGV ... [#0] 0x7ffff4304e58 mov BYTE PTR [r14+0x8], 0x0 ... mov rdx, QWORD PTR [rsp+0x18] ... afp_login_ext(obj=<optimized out>, ibuf=0x62d000010424 "", ibuflen=0xffffffffffff0015, rbuf=<optimized out>, rbuflen=<optimized out>) ... afp_over_dsi(obj=0x5555556154c0 <obj>).' 2.4.1 and 3.1.19 are also fixed versions.
- How severe is CVE-2024-38440?
- CVE-2024-38440 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2024-38440 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (55th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2024-38440?
- CVE-2024-38440 primarily affects Netatalk. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2024-38440?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2024-38440 have an EU (EUVD) identifier?
- Yes. CVE-2024-38440 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-37332.
- When was CVE-2024-38440 published?
- CVE-2024-38440 was published on 2024-06-16 and last updated on 2026-06-17.
References
- https://github.com/Netatalk/netatalk/blob/90d91a9ac9a7d6132ab7620d31c8c23400949206/etc/uams/uams_dhx_pam.c#L199-L200
- https://github.com/Netatalk/netatalk/issues/1097
- https://github.com/Netatalk/netatalk/security/advisories/GHSA-mxx4-9fhm-r3w5
- https://netatalk.io/security/CVE-2024-38440
- https://lists.debian.org/debian-lts-announce/2024/11/msg00026.html
Affected products (2)
- cpe:2.3:a:netatalk:netatalk:*:*:*:*:*:*:*:*
- cpe:2.3:a:netatalk:netatalk:3.2.0:*:*:*:*:*:*:*
More vulnerabilities in Netatalk
- CVE-2022-22995 — Critical (CVSS 10.0): The combination of primitives offered by SMB and AFP in their default configuration allows the arbitrary writing of…
- CVE-2024-38441 — Critical (CVSS 9.8): Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[len] to…
- CVE-2024-38439 — Critical (CVSS 9.8): Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting…
- CVE-2023-42464 — Critical (CVSS 9.8): A Type Confusion vulnerability was found in the Spotlight RPC functions in afpd in Netatalk 3.1.x before 3.1.17. When…
- CVE-2022-43634 — Critical (CVSS 9.8): This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk.…
- CVE-2022-23125 — Critical (CVSS 9.8): This vulnerability allows remote attackers to execute arbitrary code on affected installations of Netatalk.…
Other CWE-193 (Off-by-one Error) vulnerabilities
- CVE-2024-10442 — Critical (CVSS 10.0): Off-by-one error vulnerability in the transmission component in Synology Replication Service before 1.0.12-0066,…
- CVE-2026-53309 — Critical (CVSS 9.8): In the Linux kernel, the following vulnerability has been resolved: ocfs2/dlm: fix off-by-one in dlm_match_regions()…
- CVE-2024-38441 — Critical (CVSS 9.8): Netatalk before 3.2.1 has an off-by-one error and resultant heap-based buffer overflow because of setting ibuf[len] to…
- CVE-2023-46853 — Critical (CVSS 9.8): In Memcached before 1.6.22, an off-by-one error exists when processing proxy requests in proxy mode, if \n is used…
- CVE-2023-38429 — Critical (CVSS 9.8): An issue was discovered in the Linux kernel before 6.3.4. fs/ksmbd/connection.c in ksmbd has an off-by-one error in…
- CVE-2022-34970 — Critical (CVSS 9.8): Crow before 1.0+4 has a heap-based buffer overflow via the function qs_parse in query_string.h. On successful…