Brian Jackson - Fotolia

Ping of death: What is it and how is Apple affected?

An Apple vulnerability recently resurfaced and is targeting Apple devices that are connected to public hotspots. Discover what this vulnerability is and how to protect your devices.

A security researcher has discovered a new iteration of a very old vulnerability known as the ping of death, this time in Apple operating systems. What is the ping of death and how does it affect Apple's vulnerable products?

The ping of death is a type of denial-of-service attack in which an attacker sends oversized ping packets to crash targeted systems. It was first reported well over 20 years ago, and it has been found in many different systems that implement the ping protocol. In a word, when a vulnerable system receives a ping request in a packet that is longer than the maximum 65,535 octets specified in IPv4, it is likely to crash.

This instance of the ping of death was discovered by Semmle security research engineer Kevin Backhouse, who made the disclosure on Oct. 30, 2018. This latest ping of death vulnerability -- which was found in Apple's Internet Control Message Protocol (ICMP) packet-handling code that is used to implement ping -- is tracked as CVE-2018-4407 and is considered a threat to public hotspot users, as they are visible to attackers when in public.

The bug exists due to a flaw in Apple's operating system, specifically in the XNU networking code, that creates a buffer overflow when packet sizes are bigger than the device can handle; however, the minimum packet size that can be used is 56 bytes. Just like large, well-formed packets, the ping of death is fragmented into groups of eight octets before the packets are transmitted to the device. When the fragments are reassembled as a malformed ping packet, a buffer overflow can occur.

The ping of death vulnerability is easy to exploit, and it is commonly used by relatively unskilled adversaries who can easily write short scripts that loop infinitely to send a stream of malformed and too-large ping packets. The scripts only stop executing when the target system stops responding to network requests entirely.

Apple products vulnerable to this flaw in the ICMP packet-handing module of the XNU kernel's networking code have been patched, but they include Apple iOS, Apple macOS High Sierra and Sierra, and Apple OS X El Capitan.

Backhouse further discovered that a heap buffer overflow could enable an attacker to remotely execute code or extract data from a targeted device by injecting malicious data into the buffer overflow, causing all the vulnerable, unpatched devices to crash.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Dig Deeper on Network security