FreeBSD Ping

michmoor

Any plans to push a patch for CVE-2022-23093

jimp

CVE-2022-23093 for ping on FreeBSD is not a big deal for pfSense software:

• It only affects the /sbin/ping binary, it does not affect dpinger (the source of most ICMP traffic from pfSense software).
• It only affects specifically malformed packets received by the ping binary itself, not the IP stack. So ping has to have initiated the communication and be waiting for a response, it cannot happen unsolicited.
• There are a very small number of things in pfSense which initiate a ping using the affected binary, so unless a user is manually pinging a compromised remote host from the firewall itself, there is little to no opportunity to exploit it.
• The ping process runs in a capability mode sandbox and drops privileges needed to do most harm before the point where the crash occurs.

That said, we have patched the source trees and any future releases we make (including new snapshots) have the fixed binary.

michmoor

@jimp Sounds good. Thanks Jim for the quick response. Appreciate it.

joshgreyz

@jimp I can't tell from your post - is this patched or not?

johnpoz

@joshgreyz

What part is confusing for you?
"we have patched the source trees and any future releases we make (including new snapshots) have the fixed binary."

joshgreyz

@johnpoz alright, how do we patch our production pfSense routers then?

rcoleman-netgate

@joshgreyz Two options: 1) Upgrade to the latest development snapshot (not recommended) 2) Wait for the release.

The ping program is only used when you ask it to be used so you can avoid it, basically, until the next release.

dpinger uses ICMP directly, and the system replies to pings with ICMP, not the ping application.

jimp

The only way it's going to be "exploitable" is if someone on your firewall intentionally sends a manual ping to a compromised target. And even then, the way ping is sandboxed it can't do much even if it does get triggered. There is a lot of hype going on around this based on theory alone but little substance. The word "potentially" is carrying a ton of weight in all of the articles about it.

It sounds bad on paper but at least from the perspective of a firewall appliance use case where it doesn't rely on ping for anything substantial, it's of little concern.

tl;dr don't fall for clickbait headlines.

mdearman

@jimp

I don't think it's fair to qualify this reported and patched vulnerability as a 'click-bait headline', nor is any question being asked unreasonable. It's a legit concern, and not everyone who uses this 'product' (because it is a product that people do pay to use) is a developer who understands every nut and bolt. If they did, there would be no need for this forum or support from Netgate. I certainly appreciate Netgate taking the time to reassure people that this is a generally 'non-issue', but the condescending tone in these replies isn't appreciated.

jimp

I'm not being condescending, I'm being literal. There are a ton of articles going around about this specific issue blowing this way out of proportion, trying to make people scared of something that is of minimal concern.

Does it warrant patching? Sure.

Does it warrant the panic that some articles appear to think from their headlines? No.

mdearman

@jimp

My point is that while that may be apparent to you as an SME for this product, it's probably not to everyone that simply uses it. Clearly, at least a dozen people have looked at this thread from the thumbs up and had the same question. I'm thrilled it's a non-issue, but I'm not 'stupid' for having the question, and neither was the OP. If it was obvious, we wouldn't ask the question. I didn't read anything that amounted to 'panic', simply due-diligence as a network admin using this product. I read the CVE, it wasn't a 'joke', so here I am looking to make sure I don't have a problem- that's all. The headline that lead me to look at the CVE, and actually read it, wasn't clickbait. It's has a CTI of 10. Believe me, I get that it's annoying to be bombarded with questions about something I know to be a non-issue. Perhaps it might be in Netgate's interest to have a listing of CVE's and their impact (apologies if this exists and I'm not aware of it) or at least something on its homepage to address these questions before they get to you/the forum, and you have to deal with them.

johnpoz

@mdearman said in FreeBSD Ping:

but I'm not 'stupid' for having the question, and neither was the OP

Where would you have gotten that impression? Jim's first post was very spot on, went over the highlights of that specific cve, how they don't really apply to pfsense which is always good to know, etc.

And then clearly stated its been patched, and all future releases will include.

Not seeing where anyone said anything stupid about having a question or concern about a specific cve.

As to click-bait comment, you don't have to be a CCIE to understand the net is full of scare mongering - not only when it comes to IT related stuff, but pretty much anything.. What gets someone to click into something - something that will effect you in a negative way..

New CVE - Patch now or you're doomed.

Or

New CVE - won't effect you, but should be patched.

gabacho4

I understand the reason why people ask these questions however I don’t really get it. Show me any time where Netgate/pfSense has ignored or not responded to CVEs that affect its product? I’m aware of none. Netgate has always responded quickly to legitimate issues via point releases. This is a security-focused company after all no? This responsiveness is what has led to pfSense being highly trusted to secure networks across a wide user base. So, yes I understand why people ask but the question itself seems to almost suggest an uncertainty of whether netgate is truly committed to its mission and product. I mean, do we really expect to get an answer saying “yes, our software is vulnerable but we’re not going to address it. Piss off.”? Didn’t see anything demeaning in Jim’s response. Stop being so damn sensitive.

johnpoz

@gabacho4 said in FreeBSD Ping:

Stop being so damn sensitive.

Sage advice for everyone ;)

mdearman

@johnpoz said in FreeBSD Ping:

Where would you have gotten that impression?

Well, as I said, in the first line of my reply to the thread, the comment about don't fall for click-bait headlines, is fairly condescending. I'm sorry you and Jimp needed that pointed out (maybe that's the problem?)

@johnpoz said in FreeBSD Ping:

And then clearly stated its been patched, and all future releases will include.

Well, actually, he (Jimp) said it hasn't been patched in the production versions I am (and most people are) actually using right now, and that we had two poor options to fix it immediately. (This by the way, is actually why I and the OP were here asking questions you seem to be implying are beneath Netgate staff to respond to)

@johnpoz said in FreeBSD Ping:

how me any time where Netgate/pfSense has ignored or not responded to CVEs that affect its product? I’m aware of none. Netgate has always responded quickly to legitimate issues via point releases.

Sorry, looking to see if there is a patch that has been released or is forthcoming, doesn't imply that I think Netgate is or isn't doing what it should in relation to PFSense. It's just called network administration, and it's my job. I don't give any vendor the kind of good faith latitude you are suggesting.

@johnpoz said in FreeBSD Ping:

As to click-bait comment, you don't have to be a CCIE to understand the net is full of scare mongering

Maybe, but you're making a whole lot of assumptions about where I get my information, what my mental state actually is, and again, that I'm too dumb to know what I should and shouldn't be worried about.

Everyone, all I said was that the OP had a legit question, that he wasn't alone, and that the response, without the hyperbole, would be appreciated.

gabacho4

I don't give any vendor the kind of good faith latitude you are suggesting.

But you trust them to secure your networks… Sounds like a case of build your own router on BSD/Linux so you can control every aspect of it and update/patch at will.

mdearman

@gabacho4

I trust them to release patches, which by the way, implies Netgate is not infallible. That's what I was here doing. Maybe YOU should try not being so damn sensitive.

gabacho4

@mdearman I’m just having some fun. There have already been like 10 threads on this same subject over the past few days that were answered. This has been the more entertaining one of them.