What this actually is.
Technical background, root cause, and affected surface.
Netatalk uses DES-ECB mode for password comparison in legacy authentication modules. DES-ECB is vulnerable to timing attacks because the comparison exits early on mismatch. An attacker measuring response times can statistically recover credentials.
- Vendor
- Netatalk
- Product
- Netatalk
- Severity
- Medium
- CVSS Score
- 5.9
- Status
- Published
- CWE
- CWE-208: Observable Timing Discrepancy
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
etc/uams/uams_randnum.c or uams_clrtxt.c: DES-ECB password comparison with non-constant-time memcmp or strncmp
Root cause: Use of DES-ECB (broken algorithm) combined with non-constant-time comparison operations creates a measurable timing channel
When does this fire?
All conditions must be true for the exploit to succeed.
Attacker with network access sends repeated authentication attempts and measures response timing variations
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Recovery of AFP user credentials via remote timing analysis
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Netatalk 4.4.3 which replaces DES-ECB with constant-time cryptographic comparison. Disable all legacy DES-based UAMs.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.