FreeBSD : FreeBSD -- Multiple vulnerabilities in rtsold (e2748c9d-3483-11eb-b87a-901b0ef719ab)

critical Nessus Plugin ID 143467

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Two bugs exist in rtsold(8)'s RDNSS and DNSSL option handling. First, rtsold(8) failed to perform sufficient bounds checking on the extent of the option. In particular, it does not verify that the option does not extend past the end of the received packet before processing its contents. The kernel currently ignores such malformed packets but still passes them to userspace programs.

Second, when processing a DNSSL option, rtsold(8) decodes domain name labels per an encoding specified in RFC 1035 in which the first octet of each label contains the label's length. rtsold(8) did not validate label lengths correctly and could overflow the destination buffer.
Impact : It is believed that these bugs could be exploited to gain remote code execution within the rtsold(8) daemon, which runs as root.
Note that rtsold(8) only processes messages received from hosts attached to the same physical link as the interface(s) on which rtsold(8) is listening.

In FreeBSD 12.2 rtsold(8) runs in a Capsicum sandbox, limiting the scope of a compromised rtsold(8) process.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?ebddbaf4

Plugin Details

Severity: Critical

ID: 143467

File Name: freebsd_pkg_e2748c9d348311ebb87a901b0ef719ab.nasl

Version: 1.3

Type: local

Published: 12/3/2020

Updated: 4/6/2021

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2020-25577

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:freebsd:freebsd, p-cpe:/a:freebsd:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info, Settings/ParanoidReport

Exploit Ease: No known exploits are available

Patch Publication Date: 12/2/2020

Vulnerability Publication Date: 12/1/2020

Reference Information

CVE: CVE-2020-25577

FreeBSD: SA-20:32.rtsold