Brian Jackson - Fotolia
A security researcher has discovered a new iteration of a very old vulnerability known as the ping of death, this time in Apple operating systems. What is the ping of death and how does it affect Apple's vulnerable products?
The ping of death is a type of denial-of-service attack in which an attacker sends oversized ping packets to crash targeted systems. It was first reported well over 20 years ago, and it has been found in many different systems that implement the ping protocol. In a word, when a vulnerable system receives a ping request in a packet that is longer than the maximum 65,535 octets specified in IPv4, it is likely to crash.
This instance of the ping of death was discovered by Semmle security research engineer Kevin Backhouse, who made the disclosure on Oct. 30, 2018. This latest ping of death vulnerability -- which was found in Apple's Internet Control Message Protocol (ICMP) packet-handling code that is used to implement ping -- is tracked as CVE-2018-4407 and is considered a threat to public hotspot users, as they are visible to attackers when in public.
The bug exists due to a flaw in Apple's operating system, specifically in the XNU networking code, that creates a buffer overflow when packet sizes are bigger than the device can handle; however, the minimum packet size that can be used is 56 bytes. Just like large, well-formed packets, the ping of death is fragmented into groups of eight octets before the packets are transmitted to the device. When the fragments are reassembled as a malformed ping packet, a buffer overflow can occur.
The ping of death vulnerability is easy to exploit, and it is commonly used by relatively unskilled adversaries who can easily write short scripts that loop infinitely to send a stream of malformed and too-large ping packets. The scripts only stop executing when the target system stops responding to network requests entirely.
Apple products vulnerable to this flaw in the ICMP packet-handing module of the XNU kernel's networking code have been patched, but they include Apple iOS, Apple macOS High Sierra and Sierra, and Apple OS X El Capitan.
Backhouse further discovered that a heap buffer overflow could enable an attacker to remotely execute code or extract data from a targeted device by injecting malicious data into the buffer overflow, causing all the vulnerable, unpatched devices to crash.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on DDoS attack detection and prevention
Related Q&A from Judith Myerson
An exploit code for Dirty COW was accidentally shipped by Cisco with product software. Learn how this code ended up in a software release and what ... Continue Reading
Cisco's Webex Meetings platform had to be re-patched after researchers found the first one was failing. Discover what went wrong with the first patch... Continue Reading
The TP-Link EAP Controller for Linux was recently found to be vulnerable to attacks. Learn from Judith Myerson what this means for users and how it ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.