FreeBSD: VID-E2748C9D-3483-11EB-B87A-901B0EF719AB (CVE-2020-25577): FreeBSD -- Multiple vulnerabilities in rtsold

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.

From VID-E2748C9D-3483-11EB-B87A-901B0EF719AB:

Problem Description:

Two bugs exist in rtsold(8)'s RDNSS and DNSSL option handling.

First, rtsold(8) failed to perform sufficient bounds checking on the

extent of the option. In particular, it does not verify that the

option does not extend past the end of the received packet before

processing its contents. The kernel currently ignores such

malformed packets but still passes them to userspace programs.

Second, when processing a DNSSL option, rtsold(8) decodes domain

name labels per an encoding specified in RFC 1035 in which the first

octet of each label contains the label's length. rtsold(8) did not

validate label lengths correctly and could overflow the destination

buffer.

Impact:

It is believed that these bugs could be exploited to gain remote

code execution within the rtsold(8) daemon, which runs as root.

Note that rtsold(8) only processes messages received from hosts

attached to the same physical link as the interface(s) on which

rtsold(8) is listening.

In FreeBSD 12.2 rtsold(8) runs in a Capsicum sandbox, limiting the

scope of a compromised rtsold(8) process.