Date: Wed, 30 Nov 2022 17:03:10 -0500 From: mike tancsa <mike@sentex.net> To: Dev Null <devnull@apt322.org>, freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-22:15.ping Message-ID: <2b590fd0-8b02-1344-d501-005c6cd9fb8f@sentex.net> In-Reply-To: <e9a7b2ca-a4a4-5b99-f915-0db46b60d1e8@apt322.org> References: <20221130004601.043CE1C623@freefall.freebsd.org> <3dc86282-165d-8562-5cba-0da9896557b9@sentex.net> <e9a7b2ca-a4a4-5b99-f915-0db46b60d1e8@apt322.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/30/2022 4:58 PM, Dev Null wrote: > > Easily to exploit in a test environment, but difficult to be exploited > in the wild, since the flaw only can be exploited in the ICMP reply, > so the vulnerable machine NEEDS to make an ICMP request first. > > The attacker in this case, send a short reader in ICMP reply. > Lets say you know that some device regularly pings, say 8.8.8.8 as part of some connectivity check. If there is no stateful firewall, can the attacker not just forge the reply on the chance their attack packet could get there first ? Or if its the case of "evil ISP" in the middle, it becomes even easier. At that point, how easy is it to actually do some sort of remote code execution. The SA implies there are mitigating techniques on the OS and in the app. I guess its that last part I am mostly unclear of, how difficult is the RCE if given the first requirement as a given. ---Mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2b590fd0-8b02-1344-d501-005c6cd9fb8f>