Netatalk Authentication Bypass Vulnerability in Admin Auth User

An authentication bypass vulnerability has been identified in Netatalk versions 2.2.2 through 4.4.2. This issue arises from a fallback mechanism that allows the admin password to authenticate a client as any requested user, posing a security risk if enabled unintentionally. The vulnerability can be exploited by knowing the admin password and is particularly concerning in environments where access is not restricted to trusted administrators.

Impact

Exploitation of this vulnerability allows for unauthorized authentication as any user, potentially leading to unauthorized access or actions within the application.

Remediation

Users can upgrade to Netatalk version 4.5.0 or later, which includes the necessary patch. Alternatively, the patch can be applied to the Netatalk 4.4.2 source tree. However, the Netatalk team advises against proactively applying the patch to existing deployments due to the low likelihood of practical exploitation.