Re: FreeBSD Security Advisory FreeBSD-SA-22:15.ping

Reply: Dev Null : "Re: FreeBSD Security Advisory FreeBSD-SA-22:15.ping"
Reply: grarpamp : "Re: FreeBSD Security Advisory FreeBSD-SA-22:15.ping"
Go to: [ bottom of page ] [ top of archives ] [ this month ]
From: mike tancsa <mike_at_sentex.net>
Date: Wed, 30 Nov 2022 13:01:47 UTC
How likely is this bug exploited ?  I am guessing Man-in-the-middle 
makes this a little more of an issue potentially

     ---Mike



On 11/29/2022 7:46 PM, FreeBSD Security Advisories wrote:
> =============================================================================
> FreeBSD-SA-22:15.ping Security Advisory
>                                                           The FreeBSD 
> Project
>
> Topic:          Stack overflow in ping(8)
>
> Category:       core
> Module:         ping
> Announced:      2022-11-29
> Credits:        Tom Jones
> Affects:        All supported versions of FreeBSD.
> Corrected:      2022-11-29 22:56:33 UTC (stable/13, 13.1-STABLE)
>                 2022-11-29 23:00:43 UTC (releng/13.1, 13.1-RELEASE-p5)
>                 2022-11-29 22:57:16 UTC (stable/12, 12.4-STABLE)
>                 2022-11-29 23:19:09 UTC (releng/12.4, 12.4-RC2-p2)
>                 2022-11-29 23:16:17 UTC (releng/12.3, 12.3-RELEASE-p10)
> CVE Name:       CVE-2022-23093
>
> For general information regarding FreeBSD Security Advisories,
> including descriptions of the fields above, security branches, and the
> following sections, please visit <URL:https://security.FreeBSD.org/>.
>
> I.   Background
>
> ping(8) is a program that can be used to test reachability of a remote
> host using ICMP messages.  To send and receive ICMP messages, ping makes
> use of raw sockets and therefore requires elevated privileges.  To make
> ping's functionality available to unprivileged users, it is installed
> with the setuid bit set.  When ping runs, it creates the raw socket
> needed to do its work, and then revokes its elevated privileges.
>
> II.  Problem Description
>
> ping reads raw IP packets from the network to process responses in the
> pr_pack() function.  As part of processing a response ping has to
> reconstruct the IP header, the ICMP header and if present a "quoted
> packet," which represents the packet that generated an ICMP error.  The
> quoted packet again has an IP header and an ICMP header.
>
> The pr_pack() copies received IP and ICMP headers into stack buffers
> for further processing.  In so doing, it fails to take into account the
> possible presence of IP option headers following the IP header in
> either the response or the quoted packet.  When IP options are present,
> pr_pack() overflows the destination buffer by up to 40 bytes.
>
> III. Impact
>
> The memory safety bugs described above can be triggered by a remote
> host, causing the ping program to crash.  It may be possible for a
> malicious host to trigger remote code execution in ping.
>
> The ping process runs in a capability mode sandbox on all affected
> versions of FreeBSD and is thus very constrainted in how it can interact
> with the rest of the system at the point where the bug can occur.
>
> IV.  Workaround
>
> No workaround is available.
>
> V.   Solution
>
> Upgrade your vulnerable system to a supported FreeBSD stable or
> release / security branch (releng) dated after the correction date.
>
> Perform one of the following:
>
> 1) To update your vulnerable system via a binary patch:
>
> Systems running a RELEASE version of FreeBSD on the amd64, i386, or
> (on FreeBSD 13 and later) arm64 platforms can be updated via the
> freebsd-update(8) utility:
>
> # freebsd-update fetch
> # freebsd-update install
>
> 2) To update your vulnerable system via a source code patch:
>
> The following patches have been verified to apply to the applicable
> FreeBSD release branches.
>
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
>
> # fetch https://security.FreeBSD.org/patches/SA-22:15/ping.patch
> # fetch https://security.FreeBSD.org/patches/SA-22:15/ping.patch.asc
> # gpg --verify ping.patch.asc
>
> b) Apply the patch.  Execute the following commands as root:
>
> # cd /usr/src
> # patch < /path/to/patch
>
> c) Recompile the operating system using buildworld and installworld as
> described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.
>
> VI.  Correction details
>
> This issue is corrected by the corresponding Git commit hash or Subversion
> revision number in the following stable and release branches:
>
> Branch/path                             Hash Revision
> -------------------------------------------------------------------------
> stable/13/                              186f495d4be1 stable/13-n253187
> releng/13.1/                            66c7b53d9516 releng/13.1-n250172
> stable/12/ r372774
> releng/12.4/ r372778
> releng/12.3/ r372775
> -------------------------------------------------------------------------
>
> For FreeBSD 13 and later:
>
> Run the following command to see which files were modified by a
> particular commit:
>
> # git show --stat <commit hash>
>
> Or visit the following URL, replacing NNNNNN with the hash:
>
> <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>
>
> To determine the commit count in a working tree (for comparison against
> nNNNNNN in the table above), run:
>
> # git rev-list --count --first-parent HEAD
>
> For FreeBSD 12 and earlier:
>
> Run the following command to see which files were modified by a particular
> revision, replacing NNNNNN with the revision number:
>
> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base
>
> Or visit the following URL, replacing NNNNNN with the revision number:
>
> <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>
>
> VII. References
>
> <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23093>
>
> The latest revision of this advisory is available at
> <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-22:15.ping.asc>
>