pfSense

FreeBSD published the following security advisory for a remote command execution vulnerability in rtsold, which also affects pfSense software: https://www.freebsd.org/security/advisories/FreeBSD-SA-25:12.rtsold.asc

The vulnerability requires an attacker to be on the same network as a pfSense software installation interface configured to obtain an IPv6 address using DHCPv6 (e.g. WAN) and the attacker must also be able to send multicast messages to that pfSense software installation interface. In this case, an attacker can send a properly timed IPv6 router advertisement message containing a DNS search list (DNSSL) entry with a malicious payload, and the contents could be executed as shell commands on the pfSense software installation.

This is possible due to a lack of validation for DNS search list data. The rtsold daemon executes a script to update the system DNS configuration when it receives an IPv6 router advertisement message containing RDNSS (Recursive DNS servers) or DNSSL (DNS search list) content. The rtsold daemon does not validate the content of DNSSL data when passing it directly to a shell script, /sbin/resolvconf, which also does not validate the data before use.

pfSense software does not rely on /sbin/resolvconf to manage resolv.conf, and it configures that script to not write any files, but the script still gets executed and processes the problematic data, and thus is vulnerable.

However, pfSense software runs rtsold with the -1 parameter which causes it to terminate after the first response it receives. Therefore, the rtsold daemon is only active for a brief window during interface configuration. This limits exposure, as the first response is typically the router on the segment. However, this also creates a race condition where the attacker can still trigger the bug if they respond first, or if the attacker is the only responder.

Since pfSense software does not rely on /sbin/resolvconf, the workaround for this problem in the attached patch is to pass -R /usr/bin/true to rtsold which prevents it from executing the problematic script. With that change in place, the malicious data has no effect. FreeBSD has added validation to rtsold which will address the problem at a lower level in future releases of pfSense software.

To mitigate this issue, users without IPv6 connectivity should ensure that no interfaces are configured to use DHCPv6.

Users with IPv6 connectivity requiring DHCPv6 should apply the attached patch or the corresponding recommended patch in the System Patches package when it is available. An updated System Patches package has been published for Plus 25.11, Plus 25.07.1, and CE 2.8.1, and it is available now.

The attached patch applies on pfSense Plus software versions 23.05 and newer, as well as pfSense CE software versions 2.7.0 and newer. Older installations should upgrade to a supported release or make similar source changes manually.