Arbitrary code execution on affected installations of Netatalk

Jun 28, 2023

Arbitrary code execution on affected installations of Netatalk in the dsi_writeinit function

Summary

This issue is being Investigated by Buffalo Engineering. A temporary workaround to prevent this from being exploited is to Disable AFP pending a permanent solution.

Vulnerability ID	Vulnerability Overview
CVE-2022-43634	A heap-based buffer overflow vulnerability exists within the `dsi_writeinit` function in Netatalk. The issue results from a failure to properly validate the length of user-supplied data before copying it into a fixed-length heap buffer. An unauthenticated, remote attacker can exploit this vulnerability to execute arbitrary code on the affected system with root-level privileges.

Affected Supported TeraStations

TS7010 (Fixed in firmware version 2.00)
TS6000
TS5020 / TS5010
TS3020 / TS3010

Back to Security Notices

Date	Description
6/28/2023	Initial release
11/20/2025	Update

Back to Security Notices

Network Attached Storage

Portable Solid State Drive (SSD)

External Hard Drives

While Supplies Last

Optical Drives

Multi-Gigabit Switches

Accessories

View All

Latest Article

Buffalo Americas Product Life Cycle Status Change Notice - BS-MP2008 & BS-MP2012 Business Switches

Arbitrary code execution on affected installations of Netatalk

Arbitrary code execution on affected installations of Netatalk in the dsi_writeinit function