FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

FreeBSD -- rtsold(8) remote buffer overflow vulnerability

Affected packages
10.0 <= FreeBSD < 10.0_10
9.3 <= FreeBSD < 9.3_3
9.2 <= FreeBSD < 9.2_13
9.1 <= FreeBSD < 9.1_20

Details

VuXML ID 72ee7111-6007-11e6-a6c3-14dae9d210b8
Discovery 2014-10-21
Entry 2016-08-11

Problem Description:

Due to a missing length check in the code that handles DNS parameters, a malformed router advertisement message can result in a stack buffer overflow in rtsold(8).

Impact:

Receipt of a router advertisement message with a malformed DNSSL option, for instance from a compromised host on the same network, can cause rtsold(8) to crash.

While it is theoretically possible to inject code into rtsold(8) through malformed router advertisement messages, it is normally compiled with stack protection enabled, rendering such an attack extremely difficult.

When rtsold(8) crashes, the existing DNS configuration will remain in force, and the kernel will continue to receive and process periodic router advertisements.

References

CVE Name CVE-2014-3954
FreeBSD Advisory SA-14:20.rtsold