From nobody Mon Dec 22 21:03:08 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dZrG85c0bz6Lc5q for ; Mon, 22 Dec 2025 21:03:28 +0000 (UTC) (envelope-from polarian@polarian.dev) Received: from mail.polarian.dev (0.e.1.e.8.3.e.f.f.f.e.3.6.1.2.0.5.8.3.2.a.7.5.0.0.b.8.0.1.0.0.2.ip6.arpa [IPv6:2001:8b0:57a:2385:216:3eff:fe38:e1e0]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4dZrG7661Fz43gx for ; Mon, 22 Dec 2025 21:03:27 +0000 (UTC) (envelope-from polarian@polarian.dev) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=polarian.dev header.s=polarian header.b=aLyyoBUM; dmarc=pass (policy=reject) header.from=polarian.dev; spf=softfail (mx1.freebsd.org: 2001:8b0:57a:2385:216:3eff:fe38:e1e0 is neither permitted nor denied by domain of polarian@polarian.dev) smtp.mailfrom=polarian@polarian.dev DKIM-Signature: v=1; a=rsa-sha256; c=simple/relaxed; d=polarian.dev; s=polarian; t=1766437389; bh=aNmfZF7j/nFNbGqfqq08Qr+00EzAAEraEQncjcgQmFk=; h=Date:From:To:Subject:In-Reply-To:References; b=aLyyoBUMbeBTdY7mW+3cN0+1O9QOMiF4J4K9QszzivYxXf0agES6f6E3MwIjOzSWR md6Oj4liYmZfPfhWJtPOE98PEhR5mWmRTAM1b/fjo/PpxKQJVsJizVmsuhG/prQwW2 fcnYWd/eIqyyRPbInc28AaEvBDbuEhK/iMdAixPs= Date: Mon, 22 Dec 2025 21:03:08 +0000 From: Polarian To: freebsd-security@freebsd.org Subject: Re: FreeBSD-SA-25:12.rtsold.asc clarification needed Message-ID: <20251222210308.4352ee6f@Hydrogen> In-Reply-To: References: X-Mailer: Claws Mail 3.21.0 (GTK+ 2.24.33; amd64-portbld-freebsd15.0) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spamd-Bar: / X-Spamd-Result: default: False [0.41 / 15.00]; VIOLATED_DIRECT_SPF(3.50)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-0.89)[-0.893]; MID_RHS_NOT_FQDN(0.50)[]; DMARC_POLICY_ALLOW_WITH_FAILURES(-0.50)[]; R_DKIM_ALLOW(-0.20)[polarian.dev:s=polarian]; MIME_GOOD(-0.10)[text/plain]; ONCE_RECEIVED(0.10)[]; RCPT_COUNT_ONE(0.00)[1]; MIME_TRACE(0.00)[0:+]; ARC_NA(0.00)[]; DMARC_POLICY_ALLOW(0.00)[polarian.dev,reject]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; FROM_HAS_DN(0.00)[]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; TO_DN_NONE(0.00)[]; R_SPF_SOFTFAIL(0.00)[~all]; DKIM_TRACE(0.00)[polarian.dev:+] X-Rspamd-Queue-Id: 4dZrG7661Fz43gx Hey, I discussed this within #freebsd on libera.chat. > Just trying to better understand this issue as it says no work around > is available yet if ipv6 is disabled, this seems like a work around ? So is unplugging the ethernet cable and burying the device in a lead box surrounded in 3 metres of concrete. > And more specifically, to be vulnerable, does rtsold need to be > actually running ? Or does the program get called by the kernel > somehow. ie. I need rtsold_enable="YES" in /etc/rc.conf and seeing > ACCEPT_RTADV > in ifconfig is not actually sufficient to be vulnerable to this ? This was a misconception which was explained within #freebsd. rtsol actually is poorly named, as rtsol actually handles rtadv. If you have ACCEPT_RTADV option on your interface, router advertisement packets received is passed to rtsol. So if ACCEPT_RTADV AND OR rtsold is in use, you are vulnerable to the RCE. On your home network this is not a big deal, but if you use your device on public wifi it would be quite the concern. > Is patching the userland daemon enough ? It seems to be No. Hope this helps, and I hope I properly relayed the solution from IRC. Take care, -- Polarian Jabber/XMPP: polarian@icebound.dev