Vulnerability DatabaseCVE-2023-42464

CVE-2023-42464:
NixOS vulnerability analysis and mitigation

Overview

A Type Confusion vulnerability (CVE-2023-42464) was discovered in the Spotlight RPC functions in Netatalk's afpd daemon, affecting versions 3.1.0 through 3.1.16. The vulnerability was found by Florent Saudel and Arnaud Gatignol of Thalium team and was disclosed on September 16, 2023. The issue affects the Apple Filing Protocol (AFP) service implementation, particularly in systems running Netatalk for providing file services to macOS clients (Netatalk Security, GitHub Issue).

Technical details

The vulnerability stems from a lack of type checking in callers of the dallocvaluefor_key() function, which returns the object associated with a key. When parsing Spotlight RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the underlying protocol. The CVSS v3.1 base score is 9.8 (CRITICAL) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability shares common heritage with Samba and is logically identical to CVE-2023-34967 (NVD, Netatalk Security).

Impact

Due to the type confusion vulnerability, a malicious actor may be able to fully control the value of the pointer and potentially achieve Remote Code Execution on the host. The vulnerability has received a critical severity rating due to its potential for complete system compromise without requiring authentication or user interaction (NVD).

Mitigation and workarounds

The vulnerability has been patched in Netatalk version 3.1.17. Users can either upgrade to this version or apply the patch with git hash a0ee3c2. As a workaround, since Spotlight is an optional feature in Netatalk and is disabled by default, administrators can disable it by setting 'spotlight = no' in their afp.conf file (Netatalk Security).

Community reactions

Multiple Linux distributions have released security advisories and patches for this vulnerability, including Debian and Ubuntu. Debian released DSA-5503-1 and DLA-3584-1 to address this vulnerability in their stable and LTS releases respectively (Debian Security, Debian LTS).

Additional resources

Source: This report was generated using AI

9.8

Score

Published September 20, 2023

Severity CRITICAL

CNA Score N/A

Affected Technologies

NixOS
Homebrew

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 90.7

Exploitation Probability (EPSS) 6.6

Affected packages and libraries

netatalk
libatalk12

Sources

NVD
Alpine Security Tracker
- Alpine 3.13, 3.14, 3.15, 3.16, 3.17 Severity CRITICALNo FixAdded at: Dec 03, 2023
- Alpine 3.18, edge Severity CRITICALHas FixAdded at: Sep 18, 2023
- Alpine 3.19 Severity CRITICALHas FixAdded at: Dec 10, 2023
- Alpine 3.20 Severity CRITICALHas FixAdded at: May 26, 2024
- Alpine 3.21 Severity CRITICALHas FixAdded at: Dec 08, 2024
- Alpine 3.22 Severity CRITICALHas FixAdded at: Jun 01, 2025
Debian Security Tracker
- Debian 10, 11 Severity CRITICALHas FixAdded at: Sep 18, 2023
- Debian 13 Severity CRITICALHas FixAdded at: Oct 11, 2023
Homebrew
- Homebrew Severity CRITICALHas FixAdded at: Apr 08, 2025
Nix
- Nix Severity CRITICALHas FixAdded at: Nov 01, 2023
Ubuntu Security Tracker
- Ubuntu 20.04, 22.04, 23.04 Severity MEDIUMHas FixAdded at: Sep 19, 2023
- Ubuntu 24.04 Severity MEDIUMNo FixAdded at: May 06, 2024