-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-25:12.rtsold Security Advisory The FreeBSD Project Topic: Remote code execution via ND6 Router Advertisements Category: core Module: rtsold Announced: 2025-12-16 Credits: Kevin Day Affects: All supported versions of FreeBSD. Corrected: 2025-12-16 23:39:32 UTC (stable/15, 15.0-STABLE) 2025-12-16 23:43:01 UTC (releng/15.0, 15.0-RELEASE-p1) 2025-12-16 23:45:05 UTC (stable/14, 14.3-STABLE) 2025-12-16 23:43:25 UTC (releng/14.3, 14.3-RELEASE-p7) 2025-12-16 23:44:10 UTC (stable/13, 13.4-STABLE) 2025-12-16 23:43:33 UTC (releng/13.5, 13.5-RELEASE-p8) CVE Name: CVE-2025-14558 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background rtsold(8) and rtsol(8) are programs which process router advertisement packets as part of the IPv6 stateless address autoconfiguration (SLAAC) mechanism. II. Problem Description The rtsol(8) and rtsold(8) programs do not validate the domain search list options provided in router advertisement messages; the option body is passed to resolvconf(8) unmodified. resolvconf(8) is a shell script which does not validate its input. A lack of quoting meant that shell commands pass as input to resolvconf(8) may be executed. III. Impact Systems running rtsol(8) or rtsold(8) are vulnerable to remote code execution from systems on the same network segment. In particular, router advertisement messages are not routable and should be dropped by routers, so the attack does not cross network boundaries. IV. Workaround No workaround is available. Users not using IPv6, and IPv6 users that do not configure the system to accept router advertisement messages, are not affected. A network interface listed by ifconfig(8) accepts router advertisement messages if the string "ACCEPT_RTADV" is present in the nd6 option list. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the amd64 or arm64 platforms, or the i386 platform on FreeBSD 13, can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-25:12/rtsold.patch # fetch https://security.FreeBSD.org/patches/SA-25:12/rtsold.patch.asc # gpg --verify rtsold.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch . Restart the applicable daemons, or reboot the system. VI. Correction details This issue is corrected as of the corresponding Git commit hash in the following stable and release branches: Branch/path Hash Revision - ------------------------------------------------------------------------- stable/15/ 6759fbb1a553 stable/15-n281548 releng/15.0/ 408f5c61821f releng/15.0-n280998 stable/14/ 26702912e857 stable/14-n273051 releng/14.3/ 3c54b204bf86 releng/14.3-n271454 stable/13/ 4fef5819cca9 stable/13-n259643 releng/13.5/ 35cee6a90119 releng/13.5-n259186 - ------------------------------------------------------------------------- Run the following command to see which files were modified by a particular commit: # git show --stat Or visit the following URL, replacing NNNNNN with the hash: To determine the commit count in a working tree (for comparison against nNNNNNN in the table above), run: # git rev-list --count --first-parent HEAD VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEthUnfoEIffdcgYM7bljekB8AGu8FAmlB+cMACgkQbljekB8A Gu9YXA//UpSYz4dseSTcDElpN6jp/2W0+OKDYVqRkH0PaLwZX8iGugm8QwqCxLoL m1xK2BJir15wuUYmD++EYbjHajXrKIPaD+sW9KjqxgxDVsQWwfl9ZND743JM5TFE Y3fx8halkChIwtNGCNDHTu5N2DmEPoTO03jOqKqjH6PZwJ6ycYTw4zJvPdP5eDiT +zWpTNNm0VCkBQQB7ukJGku3zWAh4swZWylP2GvyzifcYKR3Z4OGhDdwQCBa99cn jC67D7vURTqlk4pcTFJ6JrIVRIQJdNWQGRou3hAedE59bpAZZc8B/fd//Ganmrit CBG1kMLYVxtV3/12+maEt/DLEMM7isGJPQiSWYe+qseBcdakmuJ8hdR8HKTqrK40 57ZO59CnzEFr49DrrTD4B97cJwtrXLWtUp4LiXxuYy0CkCl8CiXvcgovCBusQpx+ r68dgbfcH0UY/ryQp0ZWTI1y3NKmOSuPVpkW4Ss0BeGESlA4DJHuEwIs1D4TnOJL 90C5D7v7jeOtdXhZ6BHVLtXB+nn8zMpAO209H/pRQWJdAEpABheKCgisP9C80g6h kM300GZjH4joYDyFbMYrW6uWfylwDFC1g8MdFi8yjZzEEOfrKNcY63b+Kx+c3xNL hIa8yUcjLYHvMRnjTQU1bgUVU+SmW6n05HcqtWV7VKh39ATJcX4= =TK7t -----END PGP SIGNATURE-----