Security news that informs and inspires

FreeBSD Patches RCE Flaw in Ping

All supported versions of FreeBSD are vulnerable to a potential code execution bug in the ping service that an attacker can trigger remotely.

The vulnerability is a stack buffer overflow and the maintainers of FreeBSD have released updates for all of the affected versions that resolve the issue. Ping is a utility present in many systems that is used to determine whether a given host is reachable. It relies on the ICMP protocol and sends ICMP packets to a given remote host and listens for a reply to see whether that host is reachable on the network.

The vulnerability (CVE-2022-23093) is a result of the way that ping handles some headers.

“Ping reads raw IP packets from the network to process responses in the pr_pack() function. As part of processing a response ping has to reconstruct the IP header, the ICMP header and if present a "quoted packet," which represents the packet that generated an ICMP error. The quoted packet again has an IP header and an ICMP header,” the FreeBSD advisory says.

“The pr_pack() copies received IP and ICMP headers into stack buffers for further processing. In so doing, it fails to take into account the possible presence of IP option headers following the IP header in either the response or the quoted packet. When IP options are present, pr_pack() overflows the destination buffer by up to 40 bytes.”

The most likely result of an attacker triggering this vulnerability is that the ping process would crash, but it may also be possible for an attacker to gain remote code execution. There are no known workarounds for the issue, so the best course of action is to upgrade to the latest, fixed release of FreeBSD. The fixed releases are 13.1 and 12.4.