-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-25:12.rtsold                                     Security Advisory
                                                          The FreeBSD Project

Topic:          Remote code execution via ND6 Router Advertisements

Category:       core
Module:         rtsold
Announced:      2025-12-16
Credits:        Kevin Day
Affects:        All supported versions of FreeBSD.
Corrected:      2025-12-16 23:39:32 UTC (stable/15, 15.0-STABLE)
                2025-12-16 23:43:01 UTC (releng/15.0, 15.0-RELEASE-p1)
                2025-12-16 23:45:05 UTC (stable/14, 14.3-STABLE)
                2025-12-16 23:43:25 UTC (releng/14.3, 14.3-RELEASE-p7)
                2025-12-16 23:44:10 UTC (stable/13, 13.4-STABLE)
                2025-12-16 23:43:33 UTC (releng/13.5, 13.5-RELEASE-p8)
CVE Name:       CVE-2025-14558

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

rtsold(8) and rtsol(8) are programs which process router advertisement
packets as part of the IPv6 stateless address autoconfiguration (SLAAC)
mechanism.

II.  Problem Description

The rtsol(8) and rtsold(8) programs do not validate the domain search list
options provided in router advertisement messages; the option body is passed
to resolvconf(8) unmodified.

resolvconf(8) is a shell script which does not validate its input.  A lack of
quoting meant that shell commands pass as input to resolvconf(8) may be
executed.

III. Impact

Systems running rtsol(8) or rtsold(8) are vulnerable to remote code execution
from systems on the same network segment.  In particular, router advertisement
messages are not routable and should be dropped by routers, so the attack does
not cross network boundaries.

IV.  Workaround

No workaround is available.  Users not using IPv6, and IPv6 users that do not
configure the system to accept router advertisement messages, are not affected.
A network interface listed by ifconfig(8) accepts router advertisement messages
if the string "ACCEPT_RTADV" is present in the nd6 option list.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms,
or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch https://security.FreeBSD.org/patches/SA-25:12/rtsold.patch
# fetch https://security.FreeBSD.org/patches/SA-25:12/rtsold.patch.asc
# gpg --verify rtsold.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in <URL:https://www.FreeBSD.org/handbook/makeworld.html>.

Restart the applicable daemons, or reboot the system.

VI.  Correction details

This issue is corrected as of the corresponding Git commit hash in the
following stable and release branches:

Branch/path                             Hash                     Revision
- -------------------------------------------------------------------------
stable/15/                              6759fbb1a553    stable/15-n281548
releng/15.0/                            408f5c61821f  releng/15.0-n280998
stable/14/                              26702912e857    stable/14-n273051
releng/14.3/                            3c54b204bf86  releng/14.3-n271454
stable/13/                              4fef5819cca9    stable/13-n259643
releng/13.5/                            35cee6a90119  releng/13.5-n259186
- -------------------------------------------------------------------------

Run the following command to see which files were modified by a
particular commit:

# git show --stat <commit hash>

Or visit the following URL, replacing NNNNNN with the hash:

<URL:https://cgit.freebsd.org/src/commit/?id=NNNNNN>

To determine the commit count in a working tree (for comparison against
nNNNNNN in the table above), run:

# git rev-list --count --first-parent HEAD

VII. References

<URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14558>

The latest revision of this advisory is available at
<URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-25:12.rtsold.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmlB+cMACgkQbljekB8A
Gu9YXA//UpSYz4dseSTcDElpN6jp/2W0+OKDYVqRkH0PaLwZX8iGugm8QwqCxLoL
m1xK2BJir15wuUYmD++EYbjHajXrKIPaD+sW9KjqxgxDVsQWwfl9ZND743JM5TFE
Y3fx8halkChIwtNGCNDHTu5N2DmEPoTO03jOqKqjH6PZwJ6ycYTw4zJvPdP5eDiT
+zWpTNNm0VCkBQQB7ukJGku3zWAh4swZWylP2GvyzifcYKR3Z4OGhDdwQCBa99cn
jC67D7vURTqlk4pcTFJ6JrIVRIQJdNWQGRou3hAedE59bpAZZc8B/fd//Ganmrit
CBG1kMLYVxtV3/12+maEt/DLEMM7isGJPQiSWYe+qseBcdakmuJ8hdR8HKTqrK40
57ZO59CnzEFr49DrrTD4B97cJwtrXLWtUp4LiXxuYy0CkCl8CiXvcgovCBusQpx+
r68dgbfcH0UY/ryQp0ZWTI1y3NKmOSuPVpkW4Ss0BeGESlA4DJHuEwIs1D4TnOJL
90C5D7v7jeOtdXhZ6BHVLtXB+nn8zMpAO209H/pRQWJdAEpABheKCgisP9C80g6h
kM300GZjH4joYDyFbMYrW6uWfylwDFC1g8MdFi8yjZzEEOfrKNcY63b+Kx+c3xNL
hIa8yUcjLYHvMRnjTQU1bgUVU+SmW6n05HcqtWV7VKh39ATJcX4=
=TK7t
-----END PGP SIGNATURE-----