Vulnerability Highlight
The FreeBSD project team released a security update on November 29, 2022, to patch the CVE-2022-23093 of the Ping component. Because the pr_pack() function reads packets from the response and does not handle the buffer size properly, leading to a memory buffer overflow in all versions of the FreeBSD operating system. Once an attacker exploits this vulnerability, it can cause a denial of service.
Background Information
Ping is a program that can be used to test the reachability of a remote host using ICMP messages. Ping runs on well-known systems such as Windows, Linux, macOS, and FreeBSD. A vulnerability was found in FreeBSD, which is an operating system used to power modern servers, desktops, and embedded platforms. In normal pr_pack(), copies the ICMP Echo Reply(IP header, ICMP header) into buffers for further processing. This vulnerability fails to consider the possible presence of IP option headers following the IP header. When there is an option header, the pr_pack() overflows the buffer’s capacity by up to 40 bytes.
Figure 1: ICMP Echo reply with IP Options
Figure 2 shows it will try to put 60 bytes (hlen) into a destination buffer (ip) that is only 20 bytes long in this case. The IP Header Length minimum value is 5 (20 bytes), and its maximum value is 15 (60 bytes). A remote host can trigger the memory safety bugs described above, causing the ping program to crash. It may be possible for a malicious host to trigger denial of service in Ping [1].
![Figure 2: The comparison of pre-and post-patching [2]](https://media.txone.com/prod/uploads/2022/12/The-comparison-of-pre-and-post-patching.jpg)
Figure 2: The comparison of pre-and post-patching [2]
Security Recommendation
FreeBSD has released updated versions. Administrators can address these issues by applying the patch to upgrade vulnerable systems to support stable releases of FreeBSD. We recommend you can delve deeper into the patch solution.
Protection Offering from TXOne Networks
In addition to the FreeBSD patch solution that asset owners can apply, TXOne Networks provides a supplementary rule “1231942 EXPLOIT FreeBSD ICMP pr_pack Stack Buffer Overflow (CVE-2022-23093)” via out-of-cycle-release.
- TM_221208_16 for EdgeIPS/EdgeFire
- TM_IPSLE_221208_15 for EdgeIPSLE
- TM_IPSP_221208_15 for EdgeIPS Pro
References
[1] FreeBSD Security Advisories – “FreeBSD-SA-22:15”, FreeBSD, November 29, 2022.
[2] FreeBSD Github – freebsd/fressbsd-src commit/46d7b45a267b3d78c5054b210ff7b6c55bfca42b , FreeBSD, November 29, 2022.
