Page 1 of 2

AFP/Netatalk critical vulnerabilities

Posted: 29 Apr 2022, 00:55
by macmpi
Hi,
Competing NAS with equivalent SW are warning about critical AFP service vulnerabilities.
Fortunately Netatalk 3.1.13 has just been released to fix several CVEs.
Any plan to integrate soon in current 4.2.x releases and upcoming TOS 5?

In the meantime some may consider disabling that service until a fix is available on TOS.

Thanks for feedback.

Re: AFP/Netatalk critical vulnerabilities

Posted: 29 Apr 2022, 15:42
by TMSupport
Thanks for your feedback, we will check soon.

Re: AFP/Netatalk critical vulnerabilities

Posted: 02 May 2022, 00:36
by macmpi
As current TOS runs Netatalk 3.1.12, that security update should be pretty straightforward to implement hopefully...

Re: AFP/Netatalk critical vulnerabilities

Posted: 05 May 2022, 14:40
by macmpi
Any plan to promply issue a user warning like your competitors have immediately done over a week ago (Synology, QNAP, WD,...)?
While you may work on an update, you may need to provide some mitigation plan to Admins whose systems may be at risk again.

For exemple Synology stance on it:
Netatalk provides file access through AFP (Apple Filing Protocol) on DSM. This service has been disabled by default since DSM 7.0. We recommend using SMB protocol instead when connecting from macOS.

For Synology systems not yet upgraded to DSM 7.1-42661-1 or newer, administrators can disable "AFP service" to mitigate this specific vulnerability. In environments where AFP is still needed, setting up firewall rules to only allow trusted clients to connect over AFP (port 548) can be used as temporary mitigation.
Thanks for demonstrating an acute consideration on these security issues.

Re: AFP/Netatalk critical vulnerabilities

Posted: 05 May 2022, 21:14
by TMroy
We do use the netatalk in our AFP file service, we are working an update, please wait for our update. Thank you!

Re: AFP/Netatalk critical vulnerabilities

Posted: 05 May 2022, 21:59
by macmpi
Sure I wait.
The question is: do you plan to warn your customers before the fix is available, so that they know and can take mitigation measures while the wait?

Re: AFP/Netatalk critical vulnerabilities

Posted: 28 May 2022, 15:43
by macmpi
{L_BUTTON_AT}TMroy
Any update on this, and a release time-frame to fix these now well-known vulnerabilities?
Thanks.

Re: AFP/Netatalk critical vulnerabilities

Posted: 15 Jun 2022, 14:54
by macmpi
{L_BUTTON_AT}TMroy
Does anyone care about this long-standing issue?
What is the schedule for ARM and x86 firmware fixes?

Thanks.

Re: AFP/Netatalk critical vulnerabilities

Posted: 20 Jun 2022, 15:26
by macmpi
{L_BUTTON_AT}TMroy

Still no news/update...
Meanwhile I notice the recent Forum reorg has buried such kind of issues in FAQ & UserGuide!... Does not seem appropriate.
Would be much better suited into TOS Issues & Experiences under System Update (or eventually File services).

By while you eventually re-direct it, please give some feedback on the actual issue.

PS: please re-enable BBcode & al too

Re: AFP/Netatalk critical vulnerabilities

Posted: 20 Jun 2022, 18:54
by TMroy
Will talk to the tech team about the netatalk update.

BBCode is enabled. but I do not know what is al.