Cyber Resilience

CVE-2023-42464

Critical

Published: 20 September 2023

Published
20 September 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0652 91.3th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-42464 is a critical-severity Type Confusion (CWE-843) vulnerability in Debian Debian Linux. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 8.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A Type Confusion vulnerability exists in the Spotlight RPC functions within afpd of Netatalk 3.1.x versions prior to 3.1.17. The flaw occurs during parsing of Spotlight RPC packets that use key-value dictionaries, where callers of the dalloc_value_for_key() function perform no type checking on returned objects. This allows an attacker to manipulate pointer values, and the issue is assigned CWE-843 with a CVSS 3.1 score of 9.8.

An unauthenticated remote attacker can send specially crafted Spotlight RPC packets to an affected Netatalk server. Successful exploitation grants the ability to control memory pointers and theoretically achieve remote code execution on the host, with no user interaction or privileges required.

Public advisories, including the Netatalk security notice and the Debian LTS announcement, direct users to upgrade to Netatalk 3.1.17 or later to address the type-checking deficiency. The Netatalk project page and associated issue tracker provide the corresponding patch details.

The EPSS score remains low, with a current value of 0.0652 and a peak of 0.0770.

EU & UK References

Vulnerability details

A Type Confusion vulnerability was found in the Spotlight RPC functions in afpd in Netatalk 3.1.x before 3.1.17. When parsing Spotlight RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the…

more

values can be any of the supported types in the underlying protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a malicious actor may be able to fully control the value of the pointer and theoretically achieve Remote Code Execution on the host. This issue is similar to CVE-2023-34967.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

netatalk
netatalk
3.1 — 3.1.17
debian
debian linux
10.0, 11.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References