Full Report
ping is a program to test network reachability of remote hosts. ping makes use of raw sockets in order to make ICMP messages. ping reads raw IP packages from the network responses. As part of this processing, ping must reconstruct the IP header, the ICMP header and the quoted packet (error packet). While parsing this, a bunch of data is copied around. While pr_pack() copies received IP and ICMP header into stack buffers. However, the sizes of these buffers don't consider that an IP option headers are following the response. When IP options are present, this creates a 40 byte buffer overflow on the stack. With modern binary protections like ASLR, stack canary, etc. in place it is unlikely that this could lead to exploited remotely. ping runs in capability mode sandbox as well, which drastically changes what it can do. Defense in depth for the win!
Analysis Summary
# Vulnerability: Stack Overflow in FreeBSD ping(8) due to IP Options Handling
## CVE Details
- CVE ID: CVE-2022-23093
- CVSS Score: Not explicitly provided in text, generally rated as High/Medium for DoS.
- CWE: CWE-121 (Buffer Copy without Checking Size of Input)
## Affected Systems
- Products: FreeBSD operating system (`ping(8)` utility)
- Versions: All supported versions of FreeBSD at the time of advisory (Prior to specific patch dates listed below).
- Configurations: Triggered when processing ICMP responses or error packets that contain IP options in their headers.
## Vulnerability Description
The `ping(8)` utility uses raw sockets and elevated privileges temporarily to send and receive ICMP messages. When processing network responses in the `pr_pack()` function, it copies received IP and ICMP headers into stack buffers. The vulnerability arises because the size checks for these stack buffers do not account for the potential presence of optional IP option headers immediately following the main IP header (in either the response packet or the quoted packet within an error response). When IP options are present, this leads to a stack buffer overflow of up to 40 bytes in `pr_pack()`.
## Exploitation
- Status: Described as triggerable by a remote host, but exploitation impact is limited due to sandboxing. (Not explicitly marked as exploited in the wild, but a proof-of-concept (PoC) is implied by the vulnerability description focusing on input parsing.)
- Complexity: Likely Medium, requires crafting malicious network ICMP responses containing IP options.
- Attack Vector: Network
## Impact
The vulnerability can cause the `ping` program to crash (Denial of Service).
- Confidentiality: Low (Crashing the ping utility)
- Integrity: Low (Crashing the utility)
- Availability: Medium (Denial of Service for the `ping` utility)
*Note: The advisory states that the ping process runs in a capability mode sandbox, which significantly constrains the impact beyond simply crashing the program.*
## Remediation
### Patches
Systems must be upgraded to supported branches dated after the correction date (2022-11-29 onwards).
- **Binary Patch (for RELEASE versions):** Use `freebsd-update utility`:
bash
# freebsd-update fetch
# freebsd-update install
- **Source Code Patch:** Compile and install from source after applying the provided patch `/patches/SA-22:15/ping.patch` to the `/usr/src` directory, followed by running `buildworld` and `installworld`.
### Workarounds
- No workaround is available according to the advisory.
## Detection
- Detection is generally focused on monitoring for crashes or abnormal termination of the `ping(8)` process, especially when processing external ICMP traffic.
- Tools capable of deep packet inspection on ingress traffic could potentially detect malformed IP packet responses containing IP options intended to trigger the overflow, but this is highly specialized.
## References
- Vendor Advisories: FreeBSD Security Advisory **FreeBSD-SA-22:15.ping**
- Relevant links:
- The advisory text itself contains references to Git commits/Subversion revisions for verification.