The maintainers of the FreeBSD operating system released updates to address a critical flaw, tracked as CVE-2022-23093, in the ping module that could be potentially exploited to gain remote code execution.
The ping utility allows testing the reachability of a remote host using ICMP messages, it requires elevated privileges to use raw sockets. It is available to unprivileged users with the installation of a setuid bit set. This means that when ping runs, it creates the raw socket, and then revokes its elevated privileges.
“ping reads raw IP packets from the network to process responses in the pr_pack() function. As part of processing a response ping has to reconstruct the IP header, the ICMP header and if present a “quoted packet,” which represents the packet that generated an ICMP error. The quoted packet again has an IP header and an ICMP header.” reads the advisory for this issue. “The pr_pack() copies received IP and ICMP headers into stack buffers for further processing. In so doing, it fails to take into account the possible presence of IP option headers following the IP header in either the response or the quoted packet. When IP options are present, pr_pack() overflows the destination buffer by up to 40 bytes.”
A remote attacker can trigger the vulnerability, causing the ping program to crash and potentially leading to remote code execution in ping.
“The ping process runs in a capability mode sandbox on all affected versions of FreeBSD and is thus very constrainted in how it can interact with the rest of the system at the point where the bug can occur.” continues the advisory.
Researchers are recommended to upgrade vulnerable systems to a supported FreeBSD stable or release / security branch (releng) dated after the correction date.
The maintainers of the FreeBSD operating system pointed out that there is no workaround is available.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, CVE-2022-23093)
[adrotate banner=”5″]
[adrotate banner=”13″]