Rapid7 Vulnerability & Exploit Database

FreeBSD: VID-E2748C9D-3483-11EB-B87A-901B0EF719AB (CVE-2020-25577): FreeBSD -- Multiple vulnerabilities in rtsold

Back to Search

FreeBSD: VID-E2748C9D-3483-11EB-B87A-901B0EF719AB (CVE-2020-25577): FreeBSD -- Multiple vulnerabilities in rtsold

Severity
10
CVSS
(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Published
12/01/2020
Created
12/05/2020
Added
12/03/2020
Modified
04/05/2021

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.

From VID-E2748C9D-3483-11EB-B87A-901B0EF719AB:

Problem Description:

Two bugs exist in rtsold(8)'s RDNSS and DNSSL option handling.

First, rtsold(8) failed to perform sufficient bounds checking on the

extent of the option. In particular, it does not verify that the

option does not extend past the end of the received packet before

processing its contents. The kernel currently ignores such

malformed packets but still passes them to userspace programs.

Second, when processing a DNSSL option, rtsold(8) decodes domain

name labels per an encoding specified in RFC 1035 in which the first

octet of each label contains the label's length. rtsold(8) did not

validate label lengths correctly and could overflow the destination

buffer.

Impact:

It is believed that these bugs could be exploited to gain remote

code execution within the rtsold(8) daemon, which runs as root.

Note that rtsold(8) only processes messages received from hosts

attached to the same physical link as the interface(s) on which

rtsold(8) is listening.

In FreeBSD 12.2 rtsold(8) runs in a Capsicum sandbox, limiting the

scope of a compromised rtsold(8) process.

Solution(s)

  • freebsd-upgrade-base-11_4-release-p5
  • freebsd-upgrade-base-12_1-release-p11
  • freebsd-upgrade-base-12_2-release-p1

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;