From nobody Wed Nov 30 22:03:10 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NMtWH68x3z4j7V5 for ; Wed, 30 Nov 2022 22:03:23 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smarthost1.sentex.ca", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NMtWH497gz3xwR for ; Wed, 30 Nov 2022 22:03:23 +0000 (UTC) (envelope-from mike@sentex.net) Authentication-Results: mx1.freebsd.org; none Received: from pyroxene2a.sentex.ca (pyroxene19.sentex.ca [199.212.134.19]) by smarthost1.sentex.ca (8.16.1/8.16.1) with ESMTPS id 2AUM395Z018525 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=FAIL); Wed, 30 Nov 2022 17:03:09 -0500 (EST) (envelope-from mike@sentex.net) Received: from [IPV6:2607:f3e0:0:4:245f:fc1c:f100:a232] ([IPv6:2607:f3e0:0:4:245f:fc1c:f100:a232]) by pyroxene2a.sentex.ca (8.16.1/8.15.2) with ESMTPS id 2AUM39X3060228 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO); Wed, 30 Nov 2022 17:03:09 -0500 (EST) (envelope-from mike@sentex.net) Message-ID: <2b590fd0-8b02-1344-d501-005c6cd9fb8f@sentex.net> Date: Wed, 30 Nov 2022 17:03:10 -0500 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.5.0 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-22:15.ping Content-Language: en-US To: Dev Null , freebsd-security@freebsd.org References: <20221130004601.043CE1C623@freefall.freebsd.org> <3dc86282-165d-8562-5cba-0da9896557b9@sentex.net> From: mike tancsa In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Scanned-By: MIMEDefang 2.84 X-Rspamd-Queue-Id: 4NMtWH497gz3xwR X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:11647, ipnet:2607:f3e0::/32, country:CA] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N On 11/30/2022 4:58 PM, Dev Null wrote: > > Easily to exploit in a test environment, but difficult to be exploited > in the wild, since the flaw only can be exploited in the ICMP reply, > so the vulnerable machine NEEDS to make an ICMP request first. > > The attacker in this case, send a short reader in ICMP reply. > Lets say you know that some device regularly pings, say 8.8.8.8 as part of some connectivity check. If there is no stateful firewall, can the attacker not just forge the reply on the chance their attack packet could get there first ?  Or if its the case of "evil ISP" in the middle, it becomes even easier. At that point, how easy is it to actually do some sort of remote code execution. The SA implies there are mitigating techniques on the OS and in the app.  I guess its that last part I am mostly unclear of, how difficult is the RCE if given the first requirement as a given.     ---Mike