OPNsense Forum

English Forums => General Discussion => Topic started by: zaggynl on November 09, 2018, 04:32:09 pm

Title: CVE-2018-17156 Ping vulnerability? Is Opnsense affected?
Post by: zaggynl on November 09, 2018, 04:32:09 pm
Details in here: https://www.reddit.com/r/BSD/comments/9v6xwg/remotely_triggerable_icmp_buffer_underwrite_in/
Title: Re: CVE-2018-17156 Ping vulnerability? Is Opnsense affected?
Post by: lattera on November 09, 2018, 10:17:23 pm
FreeBSD 11.1, which OPNsense is currently based on, is not affected when the sysctl nodes have been left to their default values.

The soon-to-be-released FreeBSD 12.0 was affected (along with 13-CURRENT). I'm paying attention to how this folds out and will keep you updated should anything change.
Title: Re: CVE-2018-17156 Ping vulnerability? Is Opnsense affected?
Post by: lattera on November 10, 2018, 01:03:30 am
I should clarify that OPNsense is not affected by the ICMP issue when the net.inet.icmp.quotelen sysctl node is kept at its default value of 8.

Details are scarce regarding the net.inet.ip.maxfragsperpacket sysctl node and the code that uses it. It would be good to see a security audit of these older networking bits of code.

In HardenedBSD 13-CURRENT, I've defaulted both those sysctl nodes to the values recommended in that Reddit post: https://github.com/HardenedBSD/hardenedBSD/commit/d60f241d77eb286179aa25bc58a99b55833b2d10
Title: Re: CVE-2018-17156 Ping vulnerability? Is Opnsense affected?
Post by: zaggynl on November 10, 2018, 10:57:37 am
Thank you, good to hear.