December 5, 2022Rabbi Lakshmanan

The FreeBSD operating system maintainers have released updates to repair security vulnerabilities affecting the ping module that could be exploited to trigger program crashes and remote code execution.

Issues with assigned identifiers CVE-2022-23093affects all supported versions of FreeBSD, stack-based buffer overflow Vulnerability ping service.

“ping reads raw IP packets from the network and processes the responses with the pr_pack() function” Recommendation Published last week.

cyber security

“A copy of pr_pack() takes the IP and ICMP Stores the header in the stack buffer for further processing. Doing so fails to take into account the possible presence of IP options headers following the IP header in either the response or the quoted packet. “

As a result, the destination buffer can overflow up to 40 bytes if IP Options headers are present.

The FreeBSD project states that the ping process Feature Mode Sandbox Therefore, it limits how you interact with the rest of the operating system.

OPNsense, an open source FreeBSD-based firewall and routing software, also released a patch (version 22.7.9) to close a security hole and solve other issues.

Findings come as Qualys researchers explain another detail. new vulnerability It builds on an earlier privilege escalation flaw (CVE-2021-44731) disclosed in February 2022 in the Linux operating system’s snap-confine program.

Snaps are self-contained application packages that upstream developers can distribute to their users.

A new flaw (CVE-2022-3328) introduced as part of the patch for CVE-2021-44731 can chain with two other flaws. multipath called Leeloo Multipath – Authentication bypass and symlink attacks tracked as CVE-2022-41974 and CVE-2022-41973 – To gain root privileges.

Because the multipathd daemon runs as root by default, successful exploitation of this flaw could allow an unprivileged attacker to execute arbitrary code with elevated privileges on a vulnerable host.

Did you find this article interesting?Please follow us twitter When LinkedIn To read more exclusive content that we post.



Register now for our membership to gain access to our elite training program and fast forward your career today!


Subscribe my Newsletter for new blog posts, tips & new photos. Let's stay updated!

Security Blog

Blue Training Academy

Blue Training Academy was developed in 2018 as a educational and training facility for continuing education and certification courses. Blue Training Academy is an educational institution that allows for all sectors of the public and Criminal Justice field to gain ongoing training and education.

Copyright ©️ All rights reserved. | Blue Training Academy Blog