Date: Wed, 30 Nov 2022 08:01:47 -0500 From: mike tancsa <mike@sentex.net> To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-22:15.ping Message-ID: <3dc86282-165d-8562-5cba-0da9896557b9@sentex.net> In-Reply-To: <20221130004601.043CE1C623@freefall.freebsd.org> References: <20221130004601.043CE1C623@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------r88lAbUYkRp0y8Naqc6QqThD Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit How likely is this bug exploited ? I am guessing Man-in-the-middle makes this a little more of an issue potentially ---Mike On 11/29/2022 7:46 PM, FreeBSD Security Advisories wrote: > ============================================================================= > FreeBSD-SA-22:15.ping Security Advisory > The FreeBSD > Project > > Topic: Stack overflow in ping(8) > > Category: core > Module: ping > Announced: 2022-11-29 > Credits: Tom Jones > Affects: All supported versions of FreeBSD. > Corrected: 2022-11-29 22:56:33 UTC (stable/13, 13.1-STABLE) > 2022-11-29 23:00:43 UTC (releng/13.1, 13.1-RELEASE-p5) > 2022-11-29 22:57:16 UTC (stable/12, 12.4-STABLE) > 2022-11-29 23:19:09 UTC (releng/12.4, 12.4-RC2-p2) > 2022-11-29 23:16:17 UTC (releng/12.3, 12.3-RELEASE-p10) > CVE Name: CVE-2022-23093 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit <URL:https://security.FreeBSD.org/>. > > I. Background > > ping(8) is a program that can be used to test reachability of a remote > host using ICMP messages. To send and receive ICMP messages, ping makes > use of raw sockets and therefore requires elevated privileges. To make > ping's functionality available to unprivileged users, it is installed > with the setuid bit set. When ping runs, it creates the raw socket > needed to do its work, and then revokes its elevated privileges. > > II. Problem Description > > ping reads raw IP packets from the network to process responses in the > pr_pack() function. As part of processing a response ping has to > reconstruct the IP header, the ICMP header and if present a "quoted > packet," which represents the packet that generated an ICMP error. The > quoted packet again has an IP header and an ICMP header. > > The pr_pack() copies received IP and ICMP headers into stack buffers > for further processing. In so doing, it fails to take into account the > possible presence of IP option headers following the IP header in > either the response or the quoted packet. When IP options are present, > pr_pack() overflows the destination buffer by up to 40 bytes. > > III. Impact > > The memory safety bugs described above can be triggered by a remote > host, causing the ping program to crash. It may be possible for a > malicious host to trigger remote code execution in ping. > > The ping process runs in a capability mode sandbox on all affected > versions of FreeBSD and is thus very constrainted in how it can interact > with the rest of the system at the point where the bug can occur. > > IV. Workaround > > No workaround is available. > > V. Solution > > Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. > > Perform one of the following: > > 1) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the amd64, i386, or > (on FreeBSD 13 and later) arm64 platforms can be updated via the > freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > > 2) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch https://security.FreeBSD.org/patches/SA-22:15/ping.patch > # fetch https://security.FreeBSD.org/patches/SA-22:15/ping.patch.asc > # gpg --verify ping.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile the operating system using buildworld and installworld as > described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>. > > VI. Correction details > > This issue is corrected by the corresponding Git commit hash or Subversion > revision number in the following stable and release branches: > > Branch/path Hash Revision > ------------------------------------------------------------------------- > stable/13/ 186f495d4be1 stable/13-n253187 > releng/13.1/ 66c7b53d9516 releng/13.1-n250172 > stable/12/ r372774 > releng/12.4/ r372778 > releng/12.3/ r372775 > ------------------------------------------------------------------------- > > For FreeBSD 13 and later: > > Run the following command to see which files were modified by a > particular commit: > > # git show --stat <commit hash> > > Or visit the following URL, replacing NNNNNN with the hash: > > <URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>; > > To determine the commit count in a working tree (for comparison against > nNNNNNN in the table above), run: > > # git rev-list --count --first-parent HEAD > > For FreeBSD 12 and earlier: > > Run the following command to see which files were modified by a particular > revision, replacing NNNNNN with the revision number: > > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base > > Or visit the following URL, replacing NNNNNN with the revision number: > > <URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; > > VII. References > > <URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23093>; > > The latest revision of this advisory is available at > <URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-22:15.ping.asc>; > --------------r88lAbUYkRp0y8Naqc6QqThD Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit <html> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> </head> <body> <p>How likely is this bug exploited ? I am guessing Man-in-the-middle makes this a little more of an issue potentially <br> </p> <p> ---Mike<br> </p> <p><br> </p> <p><br> </p> On 11/29/2022 7:46 PM, FreeBSD Security Advisories wrote:<br> <blockquote type="cite">=============================================================================<br> FreeBSD-SA-22:15.ping Security Advisory<br> The FreeBSD Project<br> <br> Topic: Stack overflow in ping(8)<br> <br> Category: core<br> Module: ping<br> Announced: 2022-11-29<br> Credits: Tom Jones<br> Affects: All supported versions of FreeBSD.<br> Corrected: 2022-11-29 22:56:33 UTC (stable/13, 13.1-STABLE)<br> 2022-11-29 23:00:43 UTC (releng/13.1, 13.1-RELEASE-p5)<br> 2022-11-29 22:57:16 UTC (stable/12, 12.4-STABLE)<br> 2022-11-29 23:19:09 UTC (releng/12.4, 12.4-RC2-p2)<br> 2022-11-29 23:16:17 UTC (releng/12.3, 12.3-RELEASE-p10)<br> CVE Name: CVE-2022-23093<br> <br> For general information regarding FreeBSD Security Advisories,<br> including descriptions of the fields above, security branches, and the<br> following sections, please visit <a class="moz-txt-link-rfc1738" href="https://security.FreeBSD.org/"><URL:https://security.FreeBSD.org/></a>.<br>; <br> I. Background<br> <br> ping(8) is a program that can be used to test reachability of a remote<br> host using ICMP messages. To send and receive ICMP messages, ping makes<br> use of raw sockets and therefore requires elevated privileges. To make<br> ping's functionality available to unprivileged users, it is installed<br> with the setuid bit set. When ping runs, it creates the raw socket<br> needed to do its work, and then revokes its elevated privileges.<br> <br> II. Problem Description<br> <br> ping reads raw IP packets from the network to process responses in the<br> pr_pack() function. As part of processing a response ping has to<br> reconstruct the IP header, the ICMP header and if present a "quoted<br> packet," which represents the packet that generated an ICMP error. The<br> quoted packet again has an IP header and an ICMP header.<br> <br> The pr_pack() copies received IP and ICMP headers into stack buffers<br> for further processing. In so doing, it fails to take into account the<br> possible presence of IP option headers following the IP header in<br> either the response or the quoted packet. When IP options are present,<br> pr_pack() overflows the destination buffer by up to 40 bytes.<br> <br> III. Impact<br> <br> The memory safety bugs described above can be triggered by a remote<br> host, causing the ping program to crash. It may be possible for a<br> malicious host to trigger remote code execution in ping.<br> <br> The ping process runs in a capability mode sandbox on all affected<br> versions of FreeBSD and is thus very constrainted in how it can interact<br> with the rest of the system at the point where the bug can occur.<br> <br> IV. Workaround<br> <br> No workaround is available.<br> <br> V. Solution<br> <br> Upgrade your vulnerable system to a supported FreeBSD stable or<br> release / security branch (releng) dated after the correction date.<br> <br> Perform one of the following:<br> <br> 1) To update your vulnerable system via a binary patch:<br> <br> Systems running a RELEASE version of FreeBSD on the amd64, i386, or<br> (on FreeBSD 13 and later) arm64 platforms can be updated via the<br> freebsd-update(8) utility:<br> <br> # freebsd-update fetch<br> # freebsd-update install<br> <br> 2) To update your vulnerable system via a source code patch:<br> <br> The following patches have been verified to apply to the applicable<br> FreeBSD release branches.<br> <br> a) Download the relevant patch from the location below, and verify the<br> detached PGP signature using your PGP utility.<br> <br> # fetch <a class="moz-txt-link-freetext" href="https://security.FreeBSD.org/patches/SA-22:15/ping.patch">https://security.FreeBSD.org/patches/SA-22:15/ping.patch</a><br>; # fetch <a class="moz-txt-link-freetext" href="https://security.FreeBSD.org/patches/SA-22:15/ping.patch.asc">https://security.FreeBSD.org/patches/SA-22:15/ping.patch.asc</a><br>; # gpg --verify ping.patch.asc<br> <br> b) Apply the patch. Execute the following commands as root:<br> <br> # cd /usr/src<br> # patch < /path/to/patch<br> <br> c) Recompile the operating system using buildworld and installworld as<br> described in <a class="moz-txt-link-rfc1738" href="https://www.FreeBSD.org/handbook/makeworld.html"><URL:https://www.FreeBSD.org/handbook/makeworld.html></a>.<br>; <br> VI. Correction details<br> <br> This issue is corrected by the corresponding Git commit hash or Subversion<br> revision number in the following stable and release branches:<br> <br> Branch/path Hash Revision<br> -------------------------------------------------------------------------<br> stable/13/ 186f495d4be1 stable/13-n253187<br> releng/13.1/ 66c7b53d9516 releng/13.1-n250172<br> stable/12/ r372774<br> releng/12.4/ r372778<br> releng/12.3/ r372775<br> -------------------------------------------------------------------------<br> <br> For FreeBSD 13 and later:<br> <br> Run the following command to see which files were modified by a<br> particular commit:<br> <br> # git show --stat <commit hash><br> <br> Or visit the following URL, replacing NNNNNN with the hash:<br> <br> <a class="moz-txt-link-rfc1738" href="https://cgit.freebsd.org/src/commit/?id=NNNNNN"><URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN></a><br>; <br> To determine the commit count in a working tree (for comparison against<br> nNNNNNN in the table above), run:<br> <br> # git rev-list --count --first-parent HEAD<br> <br> For FreeBSD 12 and earlier:<br> <br> Run the following command to see which files were modified by a particular<br> revision, replacing NNNNNN with the revision number:<br> <br> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base<br> <br> Or visit the following URL, replacing NNNNNN with the revision number:<br> <br> <a class="moz-txt-link-rfc1738" href="https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN"><URL:https://svnweb.freebsd.org/base?view=revision&revision=NNNNNN></a><br>; <br> VII. References<br> <br> <a class="moz-txt-link-rfc1738" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23093"><URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23093></a><br>; <br> The latest revision of this advisory is available at<br> <a class="moz-txt-link-rfc1738" href="https://security.FreeBSD.org/advisories/FreeBSD-SA-22:15.ping.asc"><URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-22:15.ping.asc></a><br>; </blockquote> <span style="white-space: pre-wrap; display: block; width: 98vw;">> </span><br> </body> </html> --------------r88lAbUYkRp0y8Naqc6QqThD--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3dc86282-165d-8562-5cba-0da9896557b9>