How to remediate – AFP Server Share Enumeration (guest)

Contents

1. Introduction

The “AFP Server Share Enumeration (guest)” vulnerability allows a guest user to access network shares on a remote AFP server. This can lead to unauthorized information disclosure if sensitive data is stored in accessible shares. Affected systems are typically macOS servers running the Apple Filing Protocol service. A likely impact is low confidentiality, with minimal integrity or availability concerns unless shares contain critical system files.

2. Technical Explanation

The remote AFP server allows guest users to connect to several shares by default. This means that anyone on the network can potentially browse and access files within those shared folders without authentication. The vulnerability stems from an unsafe default configuration of the AFP service, permitting anonymous connections. A simple example is a user connecting from a macOS client and browsing accessible shares without being prompted for credentials.

Root cause: The AFP server allows guest access to network shares by default.
Exploit mechanism: An attacker connects to the AFP server as a guest user and enumerates available shares, potentially accessing sensitive files.
Scope: macOS servers running the Apple Filing Protocol service are affected.

3. Detection and Assessment

You can confirm whether a system is vulnerable by checking if guest access to shared folders is enabled. A quick check involves examining the AFP service configuration, while a thorough method includes attempting to connect as a guest user from another machine.

Quick checks: On macOS server, open System Preferences -> Sharing and verify that File Sharing is enabled. Then, click Options… and check if “Share files and folders with:” allows ‘Everyone’.
Scanning: Nessus plugin ID 138960 can detect this issue. This is an example only.
Logs and evidence: Check system logs for successful connections from guest users to the AFP service. Look for events related to file sharing access without authentication.

smbclient //server_ip -N

4. Solution / Remediation Steps

To fix this issue, disable guest access to shared folders on the AFP server. This can be done through the System Preferences interface on macOS.

4.1 Preparation

The dependency is that you have access to the macOS server’s System Preferences. Roll back by re-enabling guest access in System Preferences if needed.
A standard change window may be appropriate, depending on your organization’s security policy. Approval from a system administrator might be required.

4.2 Implementation

Step 1: On the macOS server, open System Preferences.
Step 2: Click Sharing.
Step 3: Select File Sharing in the left sidebar.
Step 4: Click Options…
Step 5: Uncheck the box labeled “Share files and folders with:” Everyone.

4.3 Config or Code Example

Before

Share files and folders with: Everyone (Allow guests to connect)

After

Share files and folders with: Only these people (Do not allow guests to connect)

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent this issue. Least privilege is important, as limiting access reduces the impact of unauthorized connections. Safe defaults also play a role, ensuring that services are configured securely out-of-the-box.

Practice 1: Implement least privilege to restrict user access to only necessary resources.
Practice 2: Enforce safe default configurations for all network services.

4.5 Automation (Optional)

Automation is not typically suitable for this specific change due to the GUI-based configuration.

5. Verification / Validation

Confirm that the fix worked by attempting to connect to the AFP server as a guest user and verifying that access is denied. A negative test involves trying to browse shares without authentication.

Post-fix check: Attempt to connect using `smbclient //server_ip -N`. You should receive an error message indicating access is denied.
Re-test: Re-run the quick check from Section 3 and confirm that “Everyone” is no longer selected in File Sharing Options.
Smoke test: Verify that authorized users can still connect to shared folders with valid credentials.
Monitoring: Monitor system logs for any failed connection attempts as a guest user, which could indicate an ongoing issue or attempted exploitation. This is an example only.

smbclient //server_ip -N

6. Preventive Measures and Monitoring

Baselines: Update your macOS security baseline to require disabling guest access to shared folders by default.
Pipelines: Add a check in your CI/CD pipeline to verify that File Sharing Options are configured correctly on new systems.
Asset and patch process: Review the configuration of AFP services during regular asset scans or patch management cycles.

7. Risks, Side Effects, and Roll Back

Risk or side effect 1: Authorized users may be unable to connect without proper authentication. Mitigation is to ensure all users have accounts and can log in.
Roll back: 1. Open System Preferences. 2. Click Sharing. 3. Select File Sharing. 4. Click Options… 5. Check the box labeled “Share files and folders with:” Everyone.

8. References and Resources

Vendor advisory or bulletin: https://support.apple.com/en-gb/HT204286
NVD or CVE entry: No specific CVE is associated with this configuration issue, but it relates to general AFP security concerns.
Product or platform documentation relevant to the fix: https://helpbook.macenterprise.net/file-sharing/afp/

Updated on October 26, 2025

Was this article helpful?

Yes No