ASA-2018-00024 – Apple XNU: ICMP packet-handling vulnerability

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2018-00024

Identifier(s)

ASA-2018-00024, CVE-2018-4407

Title

ICMP packet-handling vulnerability

Vendor(s)

Apple

Product(s)

iOS

macOS

Affected version(s)

Apple iOS 11 and earlier: all devices

Apple macOS High Sierra, up to and including 10.13.6: all devices

Apple macOS Sierra, up to and including 10.12.6: all devices

Apple OS X El Capitan and earlier: all devices

Fixed version(s)

iOS 12

macOS 10.14

macOS High Sierra (security update 2018-001)

macOS Sierra (security update 2018-005)

Proof of concept

Unknown

Description

There’s a buffer overflow in icmp_error() on bsd/netinet/ip_icmp.c line 339. This function generates an error packet of type error in response to bad packet ip. The ICMP protocol is used to send the error message. It calls m_copydata() to copy the header of the bad packet into an ICMP message but doesn’t check if the header is too big for the destination buffer and then a heap buffer overflow might occur.

Vulnerable code:

File: bsd/netinet/ip_icmp.c
---
202 void
203 icmp_error(
204 struct mbuf *n,
205 int type,
206 int code,
207 u_int32_t dest,
208 u_int32_t nextmtu)
209 {
...
287 icmplen = min(oiphlen + icmpelen, min(nlen, oip->ip_len));
...
293 if (MHLEN > (sizeof(struct ip) + ICMP_MINLEN + icmplen))
294 m = m_gethdr(M_DONTWAIT, MT_HEADER); /* MAC-OK */
295 else
296 m = m_getcl(M_DONTWAIT, MT_DATA, M_PKTHDR);
...
314 icp = mtod(m, struct icmp *);
...
339 m_copydata(n, 0, icmplen, (caddr_t)&icp->icmp_ip);
...
372 }
---

The researcher responsible to find this issue has found that a buffer overflow is triggered when icmplen >= 84.

Reference(s)

Semmle Discovers Six Critical Vulnerabilities Affecting Macs, iPhones, and iPads
https://semmle.com/news/apple-xnu-kernel-icmp-nfs-vulnerabilities

Kernel RCE caused by buffer overflow in Apple’s ICMP packet-handling code (CVE-2018-4407)
https://lgtm.com/blog/apple_xnu_icmp_error_CVE-2018-4407

APPLE-SA-2018-10-30-8 Additional information for APPLE-SA-2018-9-24-4 iOS 12
https://lists.apple.com/archives/security-announce/2018/Oct/msg00009.html

APPLE-SA-2018-10-30-10 Additional information for APPLE-SA-2018-9-24-5 watchOS 5
https://lists.apple.com/archives/security-announce/2018/Oct/msg00011.html

APPLE-SA-2018-10-30-2 macOS Mojave 10.14.1, Security Update 2018-001 High Sierra, Security Update 2018-005 Sierra
https://lists.apple.com/archives/security-announce/2018/Oct/msg00003.html

APPLE-SA-2018-10-30-11 Additional information for APPLE-SA-2018-9-24-6 tvOS 12
https://lists.apple.com/archives/security-announce/2018/Oct/msg00012.html

CVE-2018-4407
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4407

CVE-2018-4407
https://nvd.nist.gov/vuln/detail/CVE-2018-4407

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 1, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.