Bug #16593
Updated by Jim Pingle 2 days ago
FreeBSD published the following security advisory for rtsold: https://www.freebsd.org/security/advisories/FreeBSD-SA-25:12.rtsold.asc
The @rtsold@ daemon executes a script to update the DNS configuration when it receives a router advertisement with RDNSS (DNS server) or RDNSSL (DNS Search List) content. The @rtsold@ daemon does not validate the content of those messages and passes the values directly to a shell script, @/sbin/resolvconf@, which also does not fully validate the messages before use.
A malicious host on the same segment as a WAN configured for IPv6 connectivity could potentially send a properly timed message containing a specially-crafted DNS search list (DNSSL) entry and the contents may be executed as shell commands on the system running @rtsold@.
pfSense software does not rely on @/sbin/resolvconf@ to manage @resolv.conf@ and it configures that script to not write any files (set to use @/dev/null@), but the script still gets executed, and thus it is vulnerable.
However, pfSense software runs @rtsold@ with the @-1@ parameter which causes it to terminate after the first response it receives. Therefore, the @rtsold@ daemon is only active for a brief window during interface configuration. This limits exposure, as the first response is typically the router on the segment, however, this also creates a race condition where the attacker can still trigger the bug if they respond first or are the only responder.
Since pfSense software does not rely on @/sbin/resolvconf@, we can work around this by passing @-R /usr/bin/true@ to @rtsold@ to prevent executing the problematic script. With that change in place, the malicious parameters have no effect.
Users without IPv6 connectivity should ensure that WAN interfaces are not configured for IPv6.
Users with IPv6 connectivity should apply the attached patch or the corresponding recommended patch in the system patches package.
The attached patch should apply on versions Plus 23.05 or CE 2.7.0 and newer. Older installations should upgrade to a supported release or make similar source changes manually.