From nobody Tue Dec 13 08:35:36 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4NWWzP5pJKz4kX4w for ; Tue, 13 Dec 2022 08:35:45 +0000 (UTC) (envelope-from ted@io-tx.com) Received: from io-tx.com (io-tx.com [205.166.246.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "*.io-tx.com", Issuer "AlphaSSL CA - SHA256 - G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4NWWzP3HFJz4RxJ; Tue, 13 Dec 2022 08:35:45 +0000 (UTC) (envelope-from ted@io-tx.com) Authentication-Results: mx1.freebsd.org; none Received: from io-tx.com (io-tx.com [205.166.246.111]) (authenticated bits=0) by io-tx.com (8.17.1/8.16.1) with ESMTPSA id 2BD8Za8k099511 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Tue, 13 Dec 2022 02:35:36 -0600 (CST) (envelope-from ted@io-tx.com) Date: Tue, 13 Dec 2022 02:35:36 -0600 (CST) From: Ted Hatfield To: Ed Maste cc: freebsd-security@freebsd.org Subject: Re: Clarification on FreeBSD-SA-22:15.ping / CVE-2022-23093 ping(8) stack overflow In-Reply-To: Message-ID: <3fe5bf2-768-fe18-e8c7-a4135c37a87c@io-tx.com> References: List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed X-Spam-Status: No, score=-0.9 required=5.0 tests=ALL_TRUSTED,AWL, KAM_DMARC_STATUS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on io-tx.com X-Rspamd-Queue-Id: 4NWWzP3HFJz4RxJ X-Spamd-Bar: ---- X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:55103, ipnet:205.166.246.0/24, country:US] X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated X-ThisMailContainsUnwantedMimeParts: N On Mon, 12 Dec 2022, Ed Maste wrote: > We've seen many blog posts and news articles about this issue and > unfortunately most of them get the details wrong. So, to clarify: > > - This issue affects only /sbin/ping, not kernel ICMP handling. > - The issue relies on receipt of malicious packet(s) while the ping > utility is running (i.e., while pinging a host). > - ping(8) is setuid root, but drops privilege (to that of the user > executing it) after opening sockets but before sending or receiving > data. > - ping(8) runs in a Capsicum capability sandbox, such that even in the > event of a compromise the attacker is quite limited (has no access to > global namespaces, such as the filesystem). > - It is believed that exploitation is not possible due to the stack > layout on affected platforms. > > Thanks for the detailed summation. Ted