Ping Processing Bug in FreeBSD Can Cause Crashes
CVE-2022-23093

Currently unrated

Key Information:

Vendor: FreeBSD
Status: FreeBSD
Vendor: CVE Published:; 15 February 2024

Badges

👾 Exploit Exists

What is CVE-2022-23093?

This vulnerability pertains to a buffer overflow issue in the FreeBSD ping utility, specifically within the pr_pack() function, which handles raw IP packets. When the ping utility processes packets that contain IP option headers, it fails to properly account for their size. This oversight can result in the overflow of stack buffers by as much as 40 bytes, compromising memory safety. Remote attackers can exploit this flaw, potentially leading to crashes of the ping program. Although the ping utility operates within a capability mode sandbox on affected FreeBSD versions, limiting its interaction with the system, the vulnerability still poses a notable risk.

Affected Version(s)

FreeBSD 13.1-RELEASE

FreeBSD 12.4-RC2

FreeBSD 12.3-RELEASE

References

https://security.freebsd.org/advisories/FreeBSD-SA-22:15....

vendor-advisory

Timeline

🟡
Public PoC available
Mar 22, 2024
👾
Exploit known to exist
Mar 22, 2024
Vulnerability published
Feb 15, 2024
Vulnerability Reserved
Jan 10, 2022

Credit

NetApp, Inc.