FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- Multiple vulnerabilities in rtsold

Affected packages
12.2 <= FreeBSD < 12.2_1
12.1 <= FreeBSD < 12.1_11
11.4 <= FreeBSD < 11.4_5

Details

VuXML ID e2748c9d-3483-11eb-b87a-901b0ef719ab
Discovery 2020-12-01
Entry 2020-12-02

Problem Description:

Two bugs exist in rtsold(8)'s RDNSS and DNSSL option handling. First, rtsold(8) failed to perform sufficient bounds checking on the extent of the option. In particular, it does not verify that the option does not extend past the end of the received packet before processing its contents. The kernel currently ignores such malformed packets but still passes them to userspace programs.

Second, when processing a DNSSL option, rtsold(8) decodes domain name labels per an encoding specified in RFC 1035 in which the first octet of each label contains the label's length. rtsold(8) did not validate label lengths correctly and could overflow the destination buffer.

Impact:

It is believed that these bugs could be exploited to gain remote code execution within the rtsold(8) daemon, which runs as root. Note that rtsold(8) only processes messages received from hosts attached to the same physical link as the interface(s) on which rtsold(8) is listening.

In FreeBSD 12.2 rtsold(8) runs in a Capsicum sandbox, limiting the scope of a compromised rtsold(8) process.

References

CVE Name CVE-2020-25577
FreeBSD Advisory SA-20:32.rtsold