Stack overflow vulnerability in ping(8)
Vulnerability Description
ping reads raw IP packets from the network to process responses in the pr_pack() function. As part of processing a response ping has to reconstruct the IP header, the ICMP header, and if present a “quoted
packet,” which represents the packet that generated an ICMP error. The quoted packet again has an IP header and an ICMP header.
The pr_pack() copies received IP and ICMP headers into stack buffers for further processing. In so doing, it fails to take into account the possible presence of IP option headers following the IP header in either the response or the quoted packet. When IP options are present, pr_pack() overflows the destination buffer by up to 40 bytes.
About Ping (8)
ping(8) is a program that can be used to test the reachability of a remote host using ICMP messages. To send and receive ICMP messages, ping makes use of raw sockets and therefore requires elevated privileges. To make ping’s functionality available to unprivileged users, it is installed with the setuid bit set. When ping runs, it creates the raw socket needed to do its work, and then revokes its elevated privileges.
| CVE Name: | CVE-2022-23093 |
| Category: | Core |
| Module: | Ping |
| Announced: | 2022-11-29 |
| Credits: | Tom Jones |
| Affects: | All supported versions of FreeBSD. |
| Corrected: | 2022-11-29 22:56:33 UTC (stable/13, 13.1-STABLE) 2022-11-29 23:00:43 UTC (releng/13.1, 13.1-RELEASE-p5) 2022-11-29 22:57:16 UTC (stable/12, 12.4-STABLE) 2022-11-29 23:19:09 UTC (releng/12.4, 12.4-RC2-p2) 2022-11-29 23:16:17 UTC (releng/12.3, 12.3-RELEASE-p10) |
Impact
The memory safety bugs described above can be triggered by a remote host, causing the ping program to crash. It may be possible for a malicious host to trigger remote code execution in ping.
The ping process runs in a capability mode sandbox on all affected versions of FreeBSD and is thus very constrained in how it can interact with the rest of the system at the point where the bug can occur.
Mitigation and Steps
Upgrade your vulnerable system to a supported FreeBSD stable or
release/security branch (releng) dated after the correction date.
Perform one of the following:
1) To update your vulnerable system via a binary patch:
Systems running a RELEASE version of FreeBSD on the amd64, i386, or
(on FreeBSD 13 and later) arm64 platforms can be updated via the
freebsd-update(8) utility:
# freebsd-update fetch
# freebsd-update install2) To update your vulnerable system via a source code patch:
The following patches have been verified to apply to the applicable
FreeBSD release branches.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch https://security.FreeBSD.org/patches/SA-22:15/ping.patch
# fetch https://security.FreeBSD.org/patches/SA-22:15/ping.patch.asc
# gpg --verify ping.patch.ascb) Apply the patch. Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patchc) Recompile the operating system using buildworld and installworld as
described Here.
You can read the advisory on FreeBSD
GIPHY App Key not set. Please check settings