Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2022-23122
CVE-2022-23122:
NixOS vulnerability analysis and mitigation
Overview
CVE-2022-23122 is a critical vulnerability discovered in Netatalk, an Apple Filing Protocol service. The vulnerability exists within the setfilparams function and stems from improper validation of user-supplied data length before copying it to a fixed-length stack-based buffer. This vulnerability was disclosed in March 2022 and affects Netatalk versions prior to 3.1.13. The vulnerability is particularly severe as it requires no authentication to exploit and allows remote attackers to execute arbitrary code with root privileges (ZDI Advisory, NVD).
Technical details
The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The technical analysis reveals that the vulnerability is classified as a stack-based buffer overflow (CWE-121) and out-of-bounds write (CWE-787). The specific flaw lies in the setfilparams function's handling of user-supplied data, where insufficient length validation leads to a buffer overflow condition (NVD).
Impact
The impact of this vulnerability is severe as it allows remote attackers to execute arbitrary code with root privileges on affected Netatalk installations. No authentication is required to exploit this vulnerability, making it particularly dangerous. Successful exploitation could lead to complete system compromise, allowing attackers to gain full control over the affected system (ZDI Advisory).
Mitigation and workarounds
The vulnerability has been fixed in Netatalk version 3.1.13. Various Linux distributions have also released security updates to address this vulnerability. Ubuntu has released fixes for versions 20.04 LTS (3.1.12~ds-4ubuntu0.20.04.1) and 22.04 LTS (3.1.12~ds-9ubuntu0.22.04.1). Debian has addressed the issue in version 3.1.12~ds-8+deb11u1 for the bullseye release (Ubuntu Notice, Debian Advisory).
Community reactions
The vulnerability was discovered by Orange Tsai from the DEVCORE Research Team. The discovery was part of a broader security research effort that uncovered multiple critical vulnerabilities in Netatalk (ZDI Advisory).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management