Moderate
CVE-2022-23093
Moderate
(1 user assessed)
Very Low
(1 user assessed)Unknown
Unknown
Unknown
CVE-2022-23093
Description
ping reads raw IP packets from the network to process responses in the pr_pack() function. As part of processing a response ping has to reconstruct the IP header, the ICMP header and if present a “quoted packet,” which represents the packet that generated an ICMP error. The quoted packet again has an IP header and an ICMP header.
The pr_pack() copies received IP and ICMP headers into stack buffers for further processing. In so doing, it fails to take into account the possible presence of IP option headers following the IP header in either the response or the quoted packet. When IP options are present, pr_pack() overflows the destination buffer by up to 40 bytes.
The memory safety bugs described above can be triggered by a remote host, causing the ping program to crash.
The ping process runs in a capability mode sandbox on all affected versions of FreeBSD and is thus very constrained in how it can interact with the rest of the system at the point where the bug can occur.
Add Assessment
Technical Analysis
Here’s the original FreeBSD vulnerability notification, and at first glance, it seems like kind of a big deal: stack-based buffer overflow of up to 40 bytes in the standard FreeBSD implementation of ping.
However, a little digging shows that actually exploiting this is severely limited by virtue of FreeBSD’s capability management system; indeed, although it’s a buffer overflow in a setuid binary, that binary doesn’t get to do much other than read and write network packets, so it’s unclear what an exploit would actually accomplish.
I ran a little poll on the infosec.exchange instance on Mastodon, asking around what people thought of this. I’m not particularly famous on Mastodon, so only 84 respondents, though they’re all nominally infosec professionals. A whopping 61% said they didn’t know what the impact could be, 33% said it wasn’t a big deal (presumably because of this capability sandbox), and only 6% considered it something worrisome/interesting.
Incidentally, I rated this as “difficult to patch” considering that FreeBSD, and ping in particular, is likely running on millions of embedded devices. So while a normal old FreeBSD server or workstation is comparatively easy to patch, these IoT doo-dads that are certainly running it, and that sometimes shell out to ping, are going to be mysterious. Also, since it’s a client-initiated attack, you can’t simply scan for it in the usual vuln-management sort of way.
CVSS V3 Severity and Metrics
General Information
Vendors
- FreeBSD
Products
- FreeBSD
References
Exploit
Additional sources will be added here as they become relevant.
Notes: We will only add the top 3 POCs for a given CVE. POCs added here must have at least 2 GitHub stars.
