Bug #16593
Updated by Jim Pingle 1 day ago
FreeBSD published the following security advisory for a remote command execution vulnerability in @rtsold@, which also affects pfSense software: https://www.freebsd.org/security/advisories/FreeBSD-SA-25:12.rtsold.asc The vulnerability requires an attacker to be on the same network as a pfSense software installation with an interface configured to obtain an IPv6 address using DHCPv6 (e.g. WAN) and the attacker must also be able to send multicast messages to that the pfSense software installation interface. installation. In this case, an attacker can send a properly timed IPv6 router advertisement message containing a DNS search list (DNSSL) entry with a malicious payload, and the contents could be executed as shell commands on the pfSense software installation. This is possible due to a lack of validation for DNS search list data. The @rtsold@ daemon executes a script to update the system DNS configuration when it receives an IPv6 router advertisement message containing RDNSS (Recursive DNS servers) or DNSSL (DNS search list) content. The @rtsold@ daemon does not validate the content of DNSSL data when passing it directly to a shell script, @/sbin/resolvconf@, which also does not validate the data before use. pfSense software does not rely on @/sbin/resolvconf@ to manage @resolv.conf@, and it configures that script to not write any files, but the script still gets executed and processes the problematic data, and thus is vulnerable. However, pfSense software runs @rtsold@ with the @-1@ parameter which causes it to terminate after the first response it receives. Therefore, the @rtsold@ daemon is only active for a brief window during interface configuration. This limits exposure, as the first response is typically the router on the segment. However, this also creates a race condition where the attacker can still trigger the bug if they respond first, or if the attacker is the only responder. Since pfSense software does not rely on @/sbin/resolvconf@, the workaround for this problem in the attached patch is to pass @-R /usr/bin/true@ to @rtsold@ which prevents it from executing the problematic script. With that change in place, the malicious data has no effect. FreeBSD has added validation to @rtsold@ which will address the problem at a lower level in future releases of pfSense software. To mitigate this issue, users without IPv6 connectivity should ensure that no interfaces are configured to use DHCPv6. Users with IPv6 connectivity requiring DHCPv6 should apply the attached patch or the corresponding recommended patch in the "System Patches package":https://docs.netgate.com/pfsense/en/latest/development/system-patches.html when it is available. An updated System Patches package will be published for Plus 25.11, Plus 25.07.1, and CE 2.8.1. The attached patch applies on pfSense Plus software versions 23.05 and newer, as well as pfSense CE software versions 2.7.0 and newer. Older installations should upgrade to a supported release or make similar source changes manually.