FreeBSD rtsol and rtsold Remote Code Execution Vulnerability via Unvalidated Router Advertisements

A remote code execution vulnerability exists in the FreeBSD rtsol and rtsold programs, which process router advertisement packets as part of IPv6 stateless address autoconfiguration. The vulnerability arises because these programs do not validate the domain search list options in router advertisement messages. This unvalidated data is passed directly to resolvconf, a shell script that lacks input validation. The absence of proper quoting allows shell commands to be executed, leading to remote code execution on the affected system.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected FreeBSD system, but only from devices on the same network segment. Since router advertisement messages are not routable and should be discarded by routers, the attack does not cross network boundaries.

Remediation

Users can upgrade to a supported FreeBSD version that includes the patch for this vulnerability. Instructions for updating via the FreeBSD Update utility or applying a source code patch are available in the FreeBSD security advisory.