ASA-2018-00024 – Apple XNU: ICMP packet-handling vulnerability

Allele Security Alert



ASA-2018-00024, CVE-2018-4407


ICMP packet-handling vulnerability






Affected version(s)

Apple iOS 11 and earlier: all devices

Apple macOS High Sierra, up to and including 10.13.6: all devices

Apple macOS Sierra, up to and including 10.12.6: all devices

Apple OS X El Capitan and earlier: all devices

Fixed version(s)

iOS 12

macOS 10.14

macOS High Sierra (security update 2018-001)

macOS Sierra (security update 2018-005)

Proof of concept



There’s a buffer overflow in icmp_error() on bsd/netinet/ip_icmp.c line 339. This function generates an error packet of type error in response to bad packet ip. The ICMP protocol is used to send the error message. It calls m_copydata() to copy the header of the bad packet into an ICMP message but doesn’t check if the header is too big for the destination buffer and then a heap buffer overflow might occur.

Vulnerable code:

File: bsd/netinet/ip_icmp.c
202 void
203 icmp_error(
204 struct mbuf *n,
205 int type,
206 int code,
207 u_int32_t dest,
208 u_int32_t nextmtu)
209 {
287 icmplen = min(oiphlen + icmpelen, min(nlen, oip->ip_len));
293 if (MHLEN > (sizeof(struct ip) + ICMP_MINLEN + icmplen))
294 m = m_gethdr(M_DONTWAIT, MT_HEADER); /* MAC-OK */
295 else
296 m = m_getcl(M_DONTWAIT, MT_DATA, M_PKTHDR);
314 icp = mtod(m, struct icmp *);
339 m_copydata(n, 0, icmplen, (caddr_t)&icp->icmp_ip);
372 }

The researcher responsible to find this issue has found that a buffer overflow is triggered when icmplen >= 84.


Semmle Discovers Six Critical Vulnerabilities Affecting Macs, iPhones, and iPads

Kernel RCE caused by buffer overflow in Apple’s ICMP packet-handling code (CVE-2018-4407)

APPLE-SA-2018-10-30-8 Additional information for APPLE-SA-2018-9-24-4 iOS 12

APPLE-SA-2018-10-30-10 Additional information for APPLE-SA-2018-9-24-5 watchOS 5

APPLE-SA-2018-10-30-2 macOS Mojave 10.14.1, Security Update 2018-001 High Sierra, Security Update 2018-005 Sierra

APPLE-SA-2018-10-30-11 Additional information for APPLE-SA-2018-9-24-6 tvOS 12



If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 1, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.