iputils Ping Signed Integer Overflow Vulnerability in RTT Calculation Allows Denial-of-Service

A denial-of-service vulnerability has been identified in the 'ping' utility of 'iputils' through version '20240905'. The issue arises from a signed 64-bit integer overflow in the calculation of round-trip time (RTT) when processing crafted ICMP Echo Reply packets. This overflow occurs because the timestamp seconds are multiplied by 1,000,000 without proper validation, leading to undefined behavior. In builds in 'AddressSanitizer' mode, this overflow is detected as a runtime error, but in standard builds, it goes unnoticed, causing incorrect RTT statistics. This vulnerability can disrupt monitoring systems that rely on accurate ping data.

Impact

Exploitation of this vulnerability causes a signed integer overflow, which is detected as a runtime error under 'AddressSanitizer'. However, in normal builds, the overflow wraps silently, clamping the RTT value to zero. This distortion in RTT readings can lead to incorrect statistics and, in the case of 'ping' used with the adaptive interval option, causes high CPU usage by creating a busy-wait loop. Additionally, similar overflow issues can occur with large values for the packet size and preload parameters, further exacerbating the denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a crafted ICMP Echo Reply that includes a large timestamp, which triggers the integer overflow in the RTT calculation. This can be done using the 'ping' command with specific options that manipulate the ICMP payload, such as the 'ICMP Echo' type and a timestamp that exceeds the signed long range. The overflow can be observed as a runtime error when 'ping' is run with 'AddressSanitizer' enabled, or as incorrect RTT statistics when 'ping' is used in adaptive mode.

Remediation

The vulnerability has been fixed in 'iputils' version '20240905' and in the 'iputils' package version '3:20240117-1build1' available on Ubuntu 24.04.1 LTS. Users can update to these versions to address the vulnerability.