Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
CVE-2018-17156 Ping vulnerability? Is Opnsense affected?
« previous
next »
Print
Pages: [
1
]
Author
Topic: CVE-2018-17156 Ping vulnerability? Is Opnsense affected? (Read 3428 times)
zaggynl
Newbie
Posts: 18
Karma: 1
CVE-2018-17156 Ping vulnerability? Is Opnsense affected?
«
on:
November 09, 2018, 04:32:09 pm »
Details in here:
https://www.reddit.com/r/BSD/comments/9v6xwg/remotely_triggerable_icmp_buffer_underwrite_in/
Logged
lattera
Full Member
Posts: 207
Karma: 82
Re: CVE-2018-17156 Ping vulnerability? Is Opnsense affected?
«
Reply #1 on:
November 09, 2018, 10:17:23 pm »
FreeBSD 11.1, which OPNsense is currently based on, is not affected when the sysctl nodes have been left to their default values.
The soon-to-be-released FreeBSD 12.0 was affected (along with 13-CURRENT). I'm paying attention to how this folds out and will keep you updated should anything change.
Logged
lattera
Full Member
Posts: 207
Karma: 82
Re: CVE-2018-17156 Ping vulnerability? Is Opnsense affected?
«
Reply #2 on:
November 10, 2018, 01:03:30 am »
I should clarify that OPNsense is not affected by the ICMP issue when the net.inet.icmp.quotelen sysctl node is kept at its default value of 8.
Details are scarce regarding the net.inet.ip.maxfragsperpacket sysctl node and the code that uses it. It would be good to see a security audit of these older networking bits of code.
In HardenedBSD 13-CURRENT, I've defaulted both those sysctl nodes to the values recommended in that Reddit post:
https://github.com/HardenedBSD/hardenedBSD/commit/d60f241d77eb286179aa25bc58a99b55833b2d10
Logged
zaggynl
Newbie
Posts: 18
Karma: 1
Re: CVE-2018-17156 Ping vulnerability? Is Opnsense affected?
«
Reply #3 on:
November 10, 2018, 10:57:37 am »
Thank you, good to hear.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
CVE-2018-17156 Ping vulnerability? Is Opnsense affected?