FreeBSD has a vulnerability (CVE-2022-23093) in the ping utility included in the base distribution. The issue could potentially lead to remote code execution as root when pinging an external host controlled by the attacker. A fix has been proposed in the FreeBSD 13.1-RELEASE-p5, 12.4-RC2-p2 and 12.3-RELEASE-p10 updates. Whether other BSD systems are affected by the identified vulnerability is not yet clear (netBSD, DragonFlyBSD and OpenBSD have not yet been reported).
The vulnerability is caused by a buffer overflow in the parsing code for ICMP messages received in response to a probe request. The code for sending and receiving ICMP messages in ping uses raw sockets and is executed with elevated privileges (the utility comes with the setuid root flag). The response is processed on the ping side through the reconstruction of the IP and ICMP headers of packets received from the raw socket. The extracted IP and ICMP headers are copied by the pr_pack() function into buffers, regardless of the fact that additional extended headers may be present in the packet after the IP header.
Such headers are extracted from the packet and included in the header block, but are not taken into account when calculating the buffer size. If the host, in response to a sent ICMP request, returns a packet with additional headers, their contents will be written to the area outside the buffer boundary on the stack. As a result, the attacker can overwrite up to 40 bytes of data on the stack, potentially allowing his code to be executed. The danger of the problem is mitigated by the fact that at the time of the manifestation of the error, the process is in a state of isolation of system calls (capability mode), which makes it difficult to gain access to the rest of the system after exploiting the vulnerability.
Source: opennet.ru