ASA-2018-00024 – Apple XNU: ICMP packet-handling vulnerability

Para a versão em português deste alerta, clique aqui.

Allele Security Alert



ASA-2018-00024, CVE-2018-4407


ICMP packet-handling vulnerability






Affected version(s)

Apple iOS 11 and earlier: all devices

Apple macOS High Sierra, up to and including 10.13.6: all devices

Apple macOS Sierra, up to and including 10.12.6: all devices

Apple OS X El Capitan and earlier: all devices

Fixed version(s)

iOS 12

macOS 10.14

macOS High Sierra (security update 2018-001)

macOS Sierra (security update 2018-005)

Proof of concept



There’s a buffer overflow in icmp_error() on bsd/netinet/ip_icmp.c line 339. This function generates an error packet of type error in response to bad packet ip. The ICMP protocol is used to send the error message. It calls m_copydata() to copy the header of the bad packet into an ICMP message but doesn’t check if the header is too big for the destination buffer and then a heap buffer overflow might occur.

Vulnerable code:

File: bsd/netinet/ip_icmp.c
202 void
203 icmp_error(
204 struct mbuf *n,
205 int type,
206 int code,
207 u_int32_t dest,
208 u_int32_t nextmtu)
209 {
287 icmplen = min(oiphlen + icmpelen, min(nlen, oip->ip_len));
293 if (MHLEN > (sizeof(struct ip) + ICMP_MINLEN + icmplen))
294 m = m_gethdr(M_DONTWAIT, MT_HEADER); /* MAC-OK */
295 else
296 m = m_getcl(M_DONTWAIT, MT_DATA, M_PKTHDR);
314 icp = mtod(m, struct icmp *);
339 m_copydata(n, 0, icmplen, (caddr_t)&icp->icmp_ip);
372 }

The researcher responsible to find this issue has found that a buffer overflow is triggered when icmplen >= 84.


Semmle Discovers Six Critical Vulnerabilities Affecting Macs, iPhones, and iPads

Kernel RCE caused by buffer overflow in Apple’s ICMP packet-handling code (CVE-2018-4407)

APPLE-SA-2018-10-30-8 Additional information for APPLE-SA-2018-9-24-4 iOS 12

APPLE-SA-2018-10-30-10 Additional information for APPLE-SA-2018-9-24-5 watchOS 5

APPLE-SA-2018-10-30-2 macOS Mojave 10.14.1, Security Update 2018-001 High Sierra, Security Update 2018-005 Sierra

APPLE-SA-2018-10-30-11 Additional information for APPLE-SA-2018-9-24-6 tvOS 12



If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 1, 2019