From nobody Wed Dec 17 01:02:14 2025 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dWFrR6g9Sz6LVbn for ; Wed, 17 Dec 2025 01:02:15 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "R13" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4dWFrQ6yQlz3Sgc; Wed, 17 Dec 2025 01:02:14 +0000 (UTC) (envelope-from security-advisories@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1765933335; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Og68yjtYezAtBkiLYJkj2LUtqVM7gVkCsQ5Dg3zGydo=; b=Y4bbeYD47oxRLTeNNd1VyqkNLNx7u6raCLQwfdSJKNb6VQaFGvjVQ/MWO3UabgmvWLH4Zw Wmd78s3KmQA1hrREFDDhwA23YYmJfJ2l+Rzf0OQRmOzC8sBx/4AmX+piL3im1bOxdeHU3r ukx9vGHf34F+c9rtS/y/YIDd/iXXuIztNhWsZFqD0gAVR+w6TjONDWM3os2KEkfx8jF2Ca Uod165JSsaDvHFWCL9YcLayCjJ11ru6A+p76WsT5I60COGKMPbrZBC0Wk77JA1EXxHg8OU GCUl1CcGzuBd4V8vvjD31gzX0YmrPHXOtpNfathVWPjP1l1sLAv4zC57PEGVLg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1765933335; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc; bh=Og68yjtYezAtBkiLYJkj2LUtqVM7gVkCsQ5Dg3zGydo=; b=xJSAkDJZdlLR8vU+BtD9JGAJa0sZ5IbQbIYJNadVR3fWVBfwm6yzRDk/G5UME362yWGwvR XeiX3E0X5RmU6l1UHTbfWTfrIypZaPaobbX+46BSX+LqWe2H6kbrv40/YFN14GUaJ91W4x dsBaE7E98XnJKFxxnJpkQ7OXYyWUP9EZtYWYDYRq8d4Y/Wf0pDFuEbaqYl89VExQfc5Zze VpZDasb+4G92rOF0SaSTpP2sLaIV9YCrTgobibjT8aChkzUTshMc1pJGcWA3sE4Wjfjo/D coWhynKRvNwiPjnR2nXPk1ZYPMAtCSU7OBoMHZqtBxCXPHezff/7HGm/uPksTg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1765933335; a=rsa-sha256; cv=none; b=P0lNPGykGUutNtOY7T20UpBI6Ss6c58BjdhZZlQcHvF/N7latx+jJC73NBaqK4IRHfUw6P lqi6pxsTVfWKAmnxXlQzkxxwT9NwTy+ZmsHKhehiPZ37GCh8YHU46tS2K8kZ+OOFRyrLIn vba+8N9bmjrMOFbHir0857M+psxXHBI0v7+g1UNs83Uw5ps2cvIN7dnA8bwd3dLc9LKrLY EF1sCOxOhK6zmvGOPmr5LK9EFz4QbO3G8C1mW70DhWtKtU6M3fBy6k0R2PBSLmHaKen41s IW0Y47bZ6+4QLK8o8Ge+PWEP8tuTYuqxd2pYmvSIVXRSE5AAxLOnuV+7CpxAcA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: by freefall.freebsd.org (Postfix, from userid 945) id BAF90E16E; Wed, 17 Dec 2025 01:02:14 +0000 (-00) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-25:12.rtsold Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20251217010214.BAF90E16E@freefall.freebsd.org> Date: Wed, 17 Dec 2025 01:02:14 +0000 (-00) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-25:12.rtsold Security Advisory The FreeBSD Project Topic: Remote code execution via ND6 Router Advertisements Category: core Module: rtsold Announced: 2025-12-16 Credits: Kevin Day Affects: All supported versions of FreeBSD. Corrected: 2025-12-16 23:39:32 UTC (stable/15, 15.0-STABLE) 2025-12-16 23:43:01 UTC (releng/15.0, 15.0-RELEASE-p1) 2025-12-16 23:45:05 UTC (stable/14, 14.3-STABLE) 2025-12-16 23:43:25 UTC (releng/14.3, 14.3-RELEASE-p7) 2025-12-16 23:44:10 UTC (stable/13, 13.4-STABLE) 2025-12-16 23:43:33 UTC (releng/13.5, 13.5-RELEASE-p8) CVE Name: CVE-2025-14558 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background rtsold(8) and rtsol(8) are programs which process router advertisement packets as part of the IPv6 stateless address autoconfiguration (SLAAC) mechanism. II. Problem Description The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement messages; the option body is passed to resolvconf(8) unmodified. resolvconf(8) is a shell script which does not validate its input. A lack of quoting meant that shell commands pass as input to resolvconf(8) may be executed. III. Impact Systems running rtsol(8) or rtsold(8) are vulnerable to remote code execution from systems on the same network segment. In particular, router advertisement messages are not routable and should be dropped by routers, so the attack does not cross network boundaries. IV. Workaround No workaround is available. Users not using IPv6, and IPv6 users that do not configure the system to accept router advertisement messages, are not affected. A network interface listed by ifconfig(8) accepts router advertisement messages if the string "ACCEPT_RTADV" is present in the nd6 option list. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-25:12/rtsold.patch # fetch https://security.FreeBSD.org/patches/SA-25:12/rtsold.patch.asc # gpg --verify rtsold.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 6759fbb1a553 stable/15-n281548 releng/15.0/ 408f5c61821f releng/15.0-n280998 stable/14/ 26702912e857 stable/14-n273051 releng/14.3/ 3c54b204bf86 releng/14.3-n271454 stable/13/ 4fef5819cca9 stable/13-n259643 releng/13.5/ 35cee6a90119 releng/13.5-n259186 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmlB+cMACgkQbljekB8A Gu9YXA//UpSYz4dseSTcDElpN6jp/2W0+OKDYVqRkH0PaLwZX8iGugm8QwqCxLoL m1xK2BJir15wuUYmD++EYbjHajXrKIPaD+sW9KjqxgxDVsQWwfl9ZND743JM5TFE Y3fx8halkChIwtNGCNDHTu5N2DmEPoTO03jOqKqjH6PZwJ6ycYTw4zJvPdP5eDiT +zWpTNNm0VCkBQQB7ukJGku3zWAh4swZWylP2GvyzifcYKR3Z4OGhDdwQCBa99cn jC67D7vURTqlk4pcTFJ6JrIVRIQJdNWQGRou3hAedE59bpAZZc8B/fd//Ganmrit CBG1kMLYVxtV3/12+maEt/DLEMM7isGJPQiSWYe+qseBcdakmuJ8hdR8HKTqrK40 57ZO59CnzEFr49DrrTD4B97cJwtrXLWtUp4LiXxuYy0CkCl8CiXvcgovCBusQpx+ r68dgbfcH0UY/ryQp0ZWTI1y3NKmOSuPVpkW4Ss0BeGESlA4DJHuEwIs1D4TnOJL 90C5D7v7jeOtdXhZ6BHVLtXB+nn8zMpAO209H/pRQWJdAEpABheKCgisP9C80g6h kM300GZjH4joYDyFbMYrW6uWfylwDFC1g8MdFi8yjZzEEOfrKNcY63b+Kx+c3xNL hIa8yUcjLYHvMRnjTQU1bgUVU+SmW6n05HcqtWV7VKh39ATJcX4= =TK7t -----END PGP SIGNATURE-----