CVE-2020-25583

9.8 CRITICAL

Remote Code Execution Denial of Service Buffer Overflow

📋 TL;DR

This is a critical buffer overflow vulnerability in FreeBSD's rtsold IPv6 router advertisement daemon. Attackers can exploit it by sending malicious DNSSL options to trigger remote code execution or denial of service. Systems running vulnerable FreeBSD versions with rtsold enabled are affected.

💻 Affected Systems

Products:

FreeBSD

Versions: FreeBSD 12.2-STABLE before r368250, 11.4-STABLE before r368253, 12.2-RELEASE before p1, 12.1-RELEASE before p11, 11.4-RELEASE before p5

Operating Systems: FreeBSD

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with IPv6 enabled and rtsold running (default in some configurations)

📦 What is this software?

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

Freebsd by Freebsd

View all CVEs affecting Freebsd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with root privileges leading to complete system compromise

🟠

Likely Case

Denial of service through rtsold crash or potential remote code execution

🟢

If Mitigated

Limited impact if rtsold is disabled or network access is restricted

🌐 Internet-Facing: HIGH - rtsold listens on network interfaces and processes incoming router advertisements

🏢 Internal Only: HIGH - Internal attackers can exploit this if they have network access to the system

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted IPv6 router advertisements with malicious DNSSL options

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: FreeBSD 12.2-STABLE r368250+, 11.4-STABLE r368253+, 12.2-RELEASE p1+, 12.1-RELEASE p11+, 11.4-RELEASE p5+

Vendor Advisory: https://security.FreeBSD.org/advisories/FreeBSD-SA-20:32.rtsold.asc

Restart Required: Yes

Instructions:

1. Update FreeBSD using freebsd-update or source update. 2. Apply the relevant patch for your version. 3. Restart the system or rtsold service.

🔧 Temporary Workarounds

Disable rtsold service

all

Stop and disable the rtsold daemon if IPv6 router advertisement functionality is not required

service rtsold stop
service rtsold disable

Block IPv6 router advertisements

linux

Configure firewall to block incoming IPv6 router advertisements (ICMPv6 type 134)

ip6tables -A INPUT -p icmpv6 --icmpv6-type 134 -j DROP

🧯 If You Can't Patch

Disable rtsold service immediately
Implement network segmentation to restrict access to affected systems

🔍 How to Verify

Check if Vulnerable:

Check FreeBSD version with 'uname -a' and verify if rtsold is running with 'ps aux | grep rtsold'

Check Version:

uname -a

Verify Fix Applied:

Verify FreeBSD version is patched and rtsold service is either updated or disabled

📡 Detection & Monitoring

Log Indicators:

rtsold crash logs in /var/log/messages
kernel panic messages related to buffer overflow

Network Indicators:

Unusual IPv6 router advertisement traffic
Multiple malformed DNSSL options

SIEM Query:

source="freebsd" AND (process="rtsold" AND (event="crash" OR event="segfault"))

📊 Metadata

CVE ID: CVE-2020-25583

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-120

Published: March 29, 2021

Last Updated: November 21, 2024

🔗 References

https://security.FreeBSD.org/advisories/FreeBSD-SA-20:32.rtsold.asc Vendor Advisory
https://security.netapp.com/advisory/ntap-20210423-0004/ Third Party Advisory
https://security.FreeBSD.org/advisories/FreeBSD-SA-20:32.rtsold.asc Vendor Advisory
https://security.netapp.com/advisory/ntap-20210423-0004/ Third Party Advisory