A critical stack-based buffer overflow bug, tracked as CVE-2022-23093, in the ping service can allow to take over FreeBSD systems.
The vulnerability exists due to a boundary error within the pr_pack() function in ping(8) when processing IP option headers following the IP header in either the response or the quoted packet. A remote attacker can send a specially crafted ICMP response to the affected system, trigger a stack-based buffer overflow and potentially execute arbitrary code on the target system.
OPNsense, an open source, FreeBSD-based firewall and routing software, has also released a patch (version 22.7.9) to plug the security hole, along with other issues.
The Project noted that the ping process runs in a capability mode sandbox and is therefore constrained in how it can interact with the rest of the operating system.
The new shortcoming (CVE-2022-3328), introduced as part of a patch for CVE-2021-44731, can be chained with two other flaws in multipathd called Leeloo Multipath – an authorization bypass and a symlink attack tracked as CVE-2022-41974 and CVE-2022-41973 – to gain root privileges.
Vulnerable software versions
FreeBSD: 12.0 – 13.1
Researchers are recommended to upgrade vulnerable systems to a supported FreeBSD stable or release / security branch (releng) dated after the correction date.