todb (3)

Here’s the original FreeBSD vulnerability notification, and at first glance, it seems like kind of a big deal: stack-based buffer overflow of up to 40 bytes in the standard FreeBSD implementation of ping.

However, a little digging shows that actually exploiting this is severely limited by virtue of FreeBSD’s capability management system; indeed, although it’s a buffer overflow in a setuid binary, that binary doesn’t get to do much other than read and write network packets, so it’s unclear what an exploit would actually accomplish.

I ran a little poll on the infosec.exchange instance on Mastodon, asking around what people thought of this. I’m not particularly famous on Mastodon, so only 84 respondents, though they’re all nominally infosec professionals. A whopping 61% said they didn’t know what the impact could be, 33% said it wasn’t a big deal (presumably because of this capability sandbox), and only 6% considered it something worrisome/interesting.

Incidentally, I rated this as “difficult to patch” considering that FreeBSD, and ping in particular, is likely running on millions of embedded devices. So while a normal old FreeBSD server or workstation is comparatively easy to patch, these IoT doo-dads that are certainly running it, and that sometimes shell out to ping, are going to be mysterious. Also, since it’s a client-initiated attack, you can’t simply scan for it in the usual vuln-management sort of way.