Welcome back, 'ping of death', it has been... a few months. Now it's Apple's turn to do the patching
Kernel-level ICMP buffer overrun quietly fixed as all eyes on this week's launchfest
At least one of these, discovered by Semmle security research engineer Kevin Backhouse, is a treat: your iThings can be crashed with what amounts to a "ping of death", and there's little you can do beyond installing this week's updates.
Backhouse made his disclosure on 30 October, the same day as Apple emitted the patched code.
The bug itself, CVE-2018-4407, is a threat to users on public hotspots, where they're visible to an attacker. The miscreant need only send an ICMP (Internet Control Message Protocol) packet to the victim to crash the target, there's no user interaction needed, and Backhouse also wrote that "it may be possible to exploit the buffer overflow to execute arbitrary code in the kernel".
While Backhouse didn't try to turn the crash into an exploit proof-of-concept, he reasoned that it could be made a remote code execution because the attacker could control the size and content of the heap overflow.
The target doesn't need to have ports open, Backhouse claimed, and because merely receiving the crafted packet will trigger the bug, antivirus won't help.
The bug exists in Apple's XNU networking code (used in both iOS and macOS). In the
icmp_error function, there's a header that can be made too large for the destination's buffer (Backhouse wrote that the crash happens if the
icmplen value is greater than 84 bytes).
For a while, it looked to El Reg that bugs like this had been eradicated, like smallpox. Alas, that wasn't to be: there was one in a Patch Tuesday in 2013; Cisco and Juniper were stung by a bug, and BlackNURSE showed up later that year; and Intel had to fix a ping-of-death in Puma modems last August. ®