Attacker Value
Moderate
(1 user assessed)
Exploitability
Very Low
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

CVE-2022-23093

Disclosure Date: February 15, 2024
CVE-2022-23093
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated

Description

ping reads raw IP packets from the network to process responses in the pr_pack() function. As part of processing a response ping has to reconstruct the IP header, the ICMP header and if present a “quoted packet,” which represents the packet that generated an ICMP error. The quoted packet again has an IP header and an ICMP header.

The pr_pack() copies received IP and ICMP headers into stack buffers for further processing. In so doing, it fails to take into account the possible presence of IP option headers following the IP header in either the response or the quoted packet. When IP options are present, pr_pack() overflows the destination buffer by up to 40 bytes.

The memory safety bugs described above can be triggered by a remote host, causing the ping program to crash.

The ping process runs in a capability mode sandbox on all affected versions of FreeBSD and is thus very constrained in how it can interact with the rest of the system at the point where the bug can occur.

Add Assessment

2
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very Low
Common in enterpriseDifficult to patchVulnerable in default configurationDifficult to weaponizeRequires user interaction
Technical Analysis

Here’s the original FreeBSD vulnerability notification, and at first glance, it seems like kind of a big deal: stack-based buffer overflow of up to 40 bytes in the standard FreeBSD implementation of ping.

However, a little digging shows that actually exploiting this is severely limited by virtue of FreeBSD’s capability management system; indeed, although it’s a buffer overflow in a setuid binary, that binary doesn’t get to do much other than read and write network packets, so it’s unclear what an exploit would actually accomplish.

I ran a little poll on the infosec.exchange instance on Mastodon, asking around what people thought of this. I’m not particularly famous on Mastodon, so only 84 respondents, though they’re all nominally infosec professionals. A whopping 61% said they didn’t know what the impact could be, 33% said it wasn’t a big deal (presumably because of this capability sandbox), and only 6% considered it something worrisome/interesting.

Incidentally, I rated this as “difficult to patch” considering that FreeBSD, and ping in particular, is likely running on millions of embedded devices. So while a normal old FreeBSD server or workstation is comparatively easy to patch, these IoT doo-dads that are certainly running it, and that sometimes shell out to ping, are going to be mysterious. Also, since it’s a client-initiated attack, you can’t simply scan for it in the usual vuln-management sort of way.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
FreeBSD p5
FreeBSD p2
FreeBSD p10
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • FreeBSD

Products

  • FreeBSD

References

Canonical
CVE-2022-23093 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23093)
Advisory
FreeBSD Advisory (https://www.freebsd.org/security/advisories/FreeBSD-SA-22:15.ping.asc)
Exploit
PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
CVE-2022-23093 (https://github.com/Inplex-sys/CVE-2022-23093) (Added by AKB Worker)
Miscellaneous
https://security.freebsd.org/advisories/FreeBSD-SA-22:15.ping.asc

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis