CVE-2022-23093: Remote Code Execution in FreeBSD ping(8)

Researcher Tom Jones has found a serious vulnerability in FreeBSD ping(8), a program that can be used to test the reachability of a remote host using ICMP messages.

The ping utility invoked with an IPv4 target (IPv4-host or IPv4-mcast-group) uses the ICMP protocol’s mandatory  CHO_REQUEST data gram to elicit an ICMP ECHO_RESPONSE from a host or gateway. ECHO_REQUEST datagrams (“pings”) have an IP and ICMP header, followed by a “struct timeval” and then an arbitrary number of “pad” bytes used to fill out the packet.

Tracked as CVE-2022-23093, the issue is a buffer overflow vulnerability affecting the “pr_pack()” function in ping(8). The flaw can be leveraged to cause a stack overflow, which could lead to a crash or trigger remote code execution in ping.

“ping reads raw IP packets from the network to process responses in the pr_pack() function. As part of processing a response ping has to reconstruct the IP header, the ICMP header and if present a “quoted packet,” which represents the packet that generated an ICMP error. The quoted packet again has an IP header and an ICMP header,” the FreeBSD Project wrote in a security advisory.

“The pr_pack() copies received IP and ICMP headers into stack buffers for further processing. In so doing, it fails to take into account the possible presence of IP option headers following the IP header in either the response or the quoted packet. When IP options are present, pr_pack() overflows the destination buffer by up to 40 bytes.”

The FreeBSD Project issued fixes for CVE-2022-23093 that are available to users who upgrade to FreeBSD 13.1-STABLE, 13.1-RELEASE-p5, 12.4-STABLE, 12.4-RC2-p2 and 12.3-RELEASE-p10.

No workaround is available for the vulnerability so FreeBSD users are advised to apply the patch. They can do so by updating the operating system, or through a binary or source code patch.