AFP/Netatalk critical vulnerabilities

SMB, NFS, AFP, FTP, web file manager and Rsync server.
User avatar
macmpi
Posts: 120
Joined: 07 Jan 2020, 02:52

AFP/Netatalk critical vulnerabilities

Post by macmpi »

Hi,
Competing NAS with equivalent SW are warning about critical AFP service vulnerabilities.
Fortunately Netatalk 3.1.13 has just been released to fix several CVEs.
Any plan to integrate soon in current 4.2.x releases and upcoming TOS 5?

In the meantime some may consider disabling that service until a fix is available on TOS.

Thanks for feedback.
TerraMaster F2-210 under TOS 4.2.43, RAID1, Btrfs, serving Mac, Linux & Windows clients
User avatar
TMSupport
TerraMaster Team
Posts: 2314
Joined: 13 Dec 2019, 15:15

Re: AFP/Netatalk critical vulnerabilities

Post by TMSupport »

Thanks for your feedback, we will check soon.
To contact our team, please send email to following addresses, remember to replace (at) with @
Technical team: support(at)terra-master.com (for technical support)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
User avatar
macmpi
Posts: 120
Joined: 07 Jan 2020, 02:52

Re: AFP/Netatalk critical vulnerabilities

Post by macmpi »

As current TOS runs Netatalk 3.1.12, that security update should be pretty straightforward to implement hopefully...
TerraMaster F2-210 under TOS 4.2.43, RAID1, Btrfs, serving Mac, Linux & Windows clients
User avatar
macmpi
Posts: 120
Joined: 07 Jan 2020, 02:52

Re: AFP/Netatalk critical vulnerabilities

Post by macmpi »

Any plan to promply issue a user warning like your competitors have immediately done over a week ago (Synology, QNAP, WD,...)?
While you may work on an update, you may need to provide some mitigation plan to Admins whose systems may be at risk again.

For exemple Synology stance on it:
Netatalk provides file access through AFP (Apple Filing Protocol) on DSM. This service has been disabled by default since DSM 7.0. We recommend using SMB protocol instead when connecting from macOS.

For Synology systems not yet upgraded to DSM 7.1-42661-1 or newer, administrators can disable "AFP service" to mitigate this specific vulnerability. In environments where AFP is still needed, setting up firewall rules to only allow trusted clients to connect over AFP (port 548) can be used as temporary mitigation.
Thanks for demonstrating an acute consideration on these security issues.
TerraMaster F2-210 under TOS 4.2.43, RAID1, Btrfs, serving Mac, Linux & Windows clients
User avatar
TMroy
TerraMaster Team
Posts: 2578
Joined: 10 Mar 2020, 14:04
China

Re: AFP/Netatalk critical vulnerabilities

Post by TMroy »

We do use the netatalk in our AFP file service, we are working an update, please wait for our update. Thank you!
To contact our team, please send email to following addresses, remember to replace (at) with @:
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
User avatar
macmpi
Posts: 120
Joined: 07 Jan 2020, 02:52

Re: AFP/Netatalk critical vulnerabilities

Post by macmpi »

Sure I wait.
The question is: do you plan to warn your customers before the fix is available, so that they know and can take mitigation measures while the wait?
TerraMaster F2-210 under TOS 4.2.43, RAID1, Btrfs, serving Mac, Linux & Windows clients
User avatar
macmpi
Posts: 120
Joined: 07 Jan 2020, 02:52

Re: AFP/Netatalk critical vulnerabilities

Post by macmpi »

{L_BUTTON_AT}TMroy
Any update on this, and a release time-frame to fix these now well-known vulnerabilities?
Thanks.
TerraMaster F2-210 under TOS 4.2.43, RAID1, Btrfs, serving Mac, Linux & Windows clients
User avatar
macmpi
Posts: 120
Joined: 07 Jan 2020, 02:52

Re: AFP/Netatalk critical vulnerabilities

Post by macmpi »

{L_BUTTON_AT}TMroy
Does anyone care about this long-standing issue?
What is the schedule for ARM and x86 firmware fixes?

Thanks.
TerraMaster F2-210 under TOS 4.2.43, RAID1, Btrfs, serving Mac, Linux & Windows clients
User avatar
macmpi
Posts: 120
Joined: 07 Jan 2020, 02:52

Re: AFP/Netatalk critical vulnerabilities

Post by macmpi »

{L_BUTTON_AT}TMroy

Still no news/update...
Meanwhile I notice the recent Forum reorg has buried such kind of issues in FAQ & UserGuide!... Does not seem appropriate.
Would be much better suited into TOS Issues & Experiences under System Update (or eventually File services).

By while you eventually re-direct it, please give some feedback on the actual issue.

PS: please re-enable BBcode & al too
User avatar
TMroy
TerraMaster Team
Posts: 2578
Joined: 10 Mar 2020, 14:04
China

Re: AFP/Netatalk critical vulnerabilities

Post by TMroy »

Will talk to the tech team about the netatalk update.

BBCode is enabled. but I do not know what is al.
To contact our team, please send email to following addresses, remember to replace (at) with @:
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
Locked