Critical Ping bug potentially allows remote hack of FreeBSD systems

A critical stack-based buffer overflow bug, tracked as CVE-2022-23093, in the ping service can allow to take over FreeBSD systems.

The maintainers of the FreeBSD operating system released updates to address a critical flaw, tracked as CVE-2022-23093, in the ping module that could be potentially exploited to gain remote code execution.

The ping utility allows testing the reachability of a remote host using ICMP messages, it requires elevated privileges to use raw sockets. It is available to unprivileged users with the installation of a setuid bit set. This means that when ping runs, it creates the raw socket, and then revokes its elevated privileges.

“ping reads raw IP packets from the network to process responses in the pr_pack() function. As part of processing a response ping has to reconstruct the IP header, the ICMP header and if present a “quoted packet,” which represents the packet that generated an ICMP error. The quoted packet again has an IP header and an ICMP header.” reads the advisory for this issue. “The pr_pack() copies received IP and ICMP headers into stack buffers for further processing. In so doing, it fails to take into account the possible presence of IP option headers following the IP header in either the response or the quoted packet. When IP options are present, pr_pack() overflows the destination buffer by up to 40 bytes.”

A remote attacker can trigger the vulnerability, causing the ping program to crash and potentially leading to remote code execution in ping.

“The ping process runs in a capability mode sandbox on all affected versions of FreeBSD and is thus very constrainted in how it can interact with the rest of the system at the point where the bug can occur.” continues the advisory.

Researchers are recommended to upgrade vulnerable systems to a supported FreeBSD stable or release / security branch (releng) dated after the correction date.

The maintainers of the FreeBSD operating system pointed out that there is no workaround is available.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2022-23093)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.