CVE-2018-1160
First published: Thu Dec 20 2018(Updated: )
Netatalk before 3.1.12 is vulnerable to an out of bounds write in dsi_opensess.c. This is due to lack of bounds checking on attacker controlled data. A remote unauthenticated attacker can leverage this vulnerability to achieve arbitrary code execution.
Credit: vulnreport@tenable.com vulnreport@tenable.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Netatalk Netatalk | <3.1.12 | |
| Synology DiskStation Manager | >=5.2<5.2-5967-9 | |
| Synology DiskStation Manager | >=6.1<6.1.7-15284-3 | |
| Synology DiskStation Manager | >=6.2<6.2.1-23824-4 | |
| Synology Router Manager | >=1.2<1.2-7742-5 | |
| Synology Skynas | ||
| Synology Vs960hd Firmware | ||
| Synology Vs960hd | ||
| Debian Debian Linux | =9.0 | |
| debian/netatalk | 3.1.12~ds-3 3.1.12~ds-3+deb10u4 3.1.12~ds-8+deb11u1 3.1.18~ds-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://netatalk.sourceforge.net/3.1/ReleaseNotes3.1.12.html
- http://packetstormsecurity.com/files/152440/QNAP-Netatalk-Authentication-Bypass.html
- http://www.securityfocus.com/bid/106301
- https://attachments.samba.org/attachment.cgi?id=14735
- https://github.com/tenable/poc/tree/master/netatalk/cve_2018_1160/
- https://www.debian.org/security/2018/dsa-4356
- https://www.exploit-db.com/exploits/46034/
- https://www.exploit-db.com/exploits/46048/
- https://www.exploit-db.com/exploits/46675/
- https://www.synology.com/security/advisory/Synology_SA_18_62
- https://www.tenable.com/security/research/tra-2018-48
- https://bugzilla.samba.org/show_bug.cgi?id=13711
- https://security-tracker.debian.org/tracker/CVE-2018-1160
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1160
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=916930
Frequently Asked Questions
What is CVE-2018-1160?
CVE-2018-1160 is a vulnerability in Netatalk before version 3.1.12 that allows remote unauthenticated attackers to execute arbitrary code.
How severe is CVE-2018-1160?
CVE-2018-1160 has a severity rating of 9.8 (critical).
What is the affected software for CVE-2018-1160?
The affected software for CVE-2018-1160 includes Netatalk versions up to and including 3.1.12, Synology DiskStation Manager versions up to 5.2-5967-9, Synology Router Manager versions up to 1.2-7742-5, Synology Skynas, and Synology Vs960hd Firmware.
How can I fix CVE-2018-1160?
To fix CVE-2018-1160, update Netatalk to version 3.1.12 or later.
Where can I find more information about CVE-2018-1160?
You can find more information about CVE-2018-1160 on the Debian security tracker and MITRE CVE database websites.
- collector/nvd-api
- collector/security-tracker-debian
- collector/debian-bugs
- alias/CVE-2018-1160
- collector/nvd-index
- agent/author
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/description
- agent/event
- agent/severity
- agent/references
- agent/softwarecombine
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/netatalk
- canonical/netatalk netatalk
- vendor/synology
- canonical/synology diskstation manager
- version/synology diskstation manager/5.2
- version/synology diskstation manager/6.1
- version/synology diskstation manager/6.2
- canonical/synology router manager
- version/synology router manager/1.2
- canonical/synology skynas
- canonical/synology vs960hd firmware
- canonical/synology vs960hd
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- package-manager/debian