CVE-2024-38440

Name of the Vulnerable Software and Affected Versions Netatalk versions prior to 3.2.1 Netatalk version 3.2.0

Description The issue arises due to a lack of validation for the length field after parsing user-provided data, leading to an out-of-bounds heap write of one byte, potentially causing a Denial of Service (DoS) under certain heap layouts or with ASAN enabled. The vulnerability is located in the FPLoginExt operation of Netatalk, in the BN bin2bn function found in etc/uams/uams dhx pam.c.

Recommendations For Netatalk versions prior to 3.2.1, update to version 3.2.1 or later to resolve the issue. For Netatalk version 3.2.0, update to version 3.2.1 or later to resolve the issue. As a temporary workaround, consider disabling the FPLoginExt operation in Netatalk until a patch is available. Restrict access to the BN bin2bn function in etc/uams/uams dhx pam.c to minimize the risk of exploitation.