Bug #16593
Updated by Jim Pingle 1 day ago
FreeBSD published the following security advisory for a remote command execution vulnerability in @rtsold@, which also affects pfSense software: rtsold: https://www.freebsd.org/security/advisories/FreeBSD-SA-25:12.rtsold.asc The vulnerability requires an attacker to be on the same network as a pfSense software installation with a WAN interface configured for IPv6 connectivity and the attacker must also be able to send multicast messages to the pfSense software installation. In this case, an attacker can send a properly timed IPv6 router advertisement message containing a DNS search list (DNSSL) entry with a malicious payload, and the contents could be executed as shell commands on the pfSense software installation. This is possible due to a lack of validation for DNS search list data. The @rtsold@ daemon executes a script to update the system DNS configuration when it receives an IPv6 a router advertisement message containing with RDNSS (Recursive DNS servers) (DNS server) or DNSSL RDNSSL (DNS search list) Search List) content. The @rtsold@ daemon does not validate the content of DNSSL data when passing it those messages and passes the values directly to a shell script, @/sbin/resolvconf@, which also does not fully validate the data messages before use. A malicious host on the same segment as a WAN configured for IPv6 connectivity could potentially send a properly timed message containing a specially-crafted DNS search list (DNSSL) entry and the contents may be executed as shell commands on the system running @rtsold@. pfSense software does not rely on @/sbin/resolvconf@ to manage @resolv.conf@, @resolv.conf@ and it configures that script to not write any files, files (set to use @/dev/null@), but the script still gets executed executed, and processes the problematic data, and thus it is vulnerable. However, pfSense software runs @rtsold@ with the @-1@ parameter which causes it to terminate after the first response it receives. Therefore, the @rtsold@ daemon is only active for a brief window during interface configuration. This limits exposure, as the first response is typically the router on the segment. However, segment, however, this also creates a race condition where the attacker can still trigger the bug if they respond first, first or if are the attacker is the only responder. Since pfSense software does not rely on @/sbin/resolvconf@, the workaround for we can work around this problem in the attached patch is to pass by passing @-R /usr/bin/true@ to @rtsold@ which prevents it from to prevent executing the problematic script. With that change in place, the malicious data has parameters have no effect. FreeBSD has added validation to @rtsold@ which will address the problem at a lower level in future releases of pfSense software. To mitigate this issue, users Users without IPv6 connectivity should ensure that WAN interfaces are not configured to use for IPv6. Users with IPv6 connectivity should apply the attached patch or the corresponding recommended patch in the "System Patches package":https://docs.netgate.com/pfsense/en/latest/development/system-patches.html when it is available. An updated System Patches package will be published for Plus 25.11, Plus 25.07.1, and CE 2.8.1. system patches package. The attached patch applies should apply on pfSense versions Plus software versions 23.05 and newer, as well as pfSense or CE software versions 2.7.0 and newer. Older installations should upgrade to a supported release or make similar source changes manually.