Project

General

Profile

Actions

Bug #13716

closed

CVE-2022-23093 / FreeBSD-SA-22:15.ping

Added by Jim Pingle almost 2 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
FreeBSD
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
23.01
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

Ref: https://www.freebsd.org/security/advisories/FreeBSD-SA-22:15.ping.asc

Not a significant concern for pfSense software:

  • It only affects the /sbin/ping binary, it does not affect dpinger (the source of most ICMP traffic from pfSense software).
  • It only affects specifically malformed packets received by the ping binary itself, not the IP stack. So ping has to have initiated the communication and be waiting for a response, it cannot happen unsolicited.
  • There are a very small number of things in pfSense which initiate a ping using the affected binary, so unless a user is manually pinging a compromised remote host from the firewall itself, there is little to no opportunity to exploit it.
  • The ping process runs in a capability mode sandbox and drops privileges needed to do most harm before the point where the crash occurs.

We have patched the src trees and any future releases we make (including new snapshots) will include a fixed binary.

Actions #1

Updated by Jim Pingle almost 2 years ago

Further clarification from FreeBSD makes it even more clear this amounts to nothing:

We've seen many blog posts and news articles about this issue and
unfortunately most of them get the details wrong. So, to clarify:

- This issue affects only /sbin/ping, not kernel ICMP handling.
- The issue relies on receipt of malicious packet(s) while the ping
  utility is running (i.e., while pinging a host).
- ping(8) is setuid root, but drops privilege (to that of the user
  executing it) after opening sockets but before sending or receiving
  data.
- ping(8) runs in a Capsicum capability sandbox, such that even in the
  event of a compromise the attacker is quite limited (has no access to
  global namespaces, such as the filesystem).
- It is believed that exploitation is not possible due to the stack
  layout on affected platforms.
Actions

Also available in: Atom PDF