BSDSec

deadsimple BSD Security Advisories and Announcements

[Security-announce] pfSense-SA-17_02.webgui

21 February, 2017 by security@pfsense.org | pfsense 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=============================================================================
pfSense-SA-17_02.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Arbitrary Code Execution

Category:       pfSense Base System
Module:         webgui
Announced:      2017-02-10
Credits:        Tim Coen - Curesec GmbH
Affects:        pfSense software version <= 2.3.2_1
Corrected:      2017-02-07 19:30:04 UTC (pfSense/master, pfSense 2.4)
                2017-02-07 19:31:11 UTC (pfSense/RELENG_2_3, pfSense 2.3.x)
                2017-02-07 19:31:14 UTC (pfSense/RELENG_2_3_2, pfSense 2.3.2_x)

0.   Revision History

v1.0  2017-02-10 Initial release

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A command-injection vulnerability exists in wizard.php via update_config_field()
due to its passing user input through eval(), especially in its handling of
interfaces_selection type fields. This allows an authenticated WebGUI user with
privileges for wizard.php to execute commands in the context of the root user.

III. Impact

A user on version 2.3.2_1 or earlier of the pfSense software, granted limited
access to the pfSense software WebGUI including access to wizard.php, could
leverage these vulnerabilities to gain increased privileges, read other files,
execute commands, or perform other alterations.

This is not relevant for admin-level users as there are other deliberate means
by which an administrator could run commands.

IV.  Workaround

The issues can be mitigated by restricting access to the firewall GUI both with
firewall rules and by not allowing untrusted users to have accounts with GUI
access, and by not granting untrusted administrators access to the pages in
question.

V.   Solution

Upgrade to version 2.3.3 of the pfSense software, or a later version. This may
be performed in the web interface or from the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     5baea4da88fd6c093582d9c3e9b67cce5d6a1013
pfSense/RELENG_2_3                 2c5c799a646a014a7729bb834d0f8a92df0f77d0
pfSense/RELENG_2_3_2               d3da9c7d2a40d1550fa3f919d5d067f1daaf95f4
- - -------------------------------------------------------------------------

VII. References

<URL:https://doc.pfsense.org/index.php/Upgrade_Guide>

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-17_02.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJYneCoAAoJEBO5h/2SFPjak3cP/0E507qdpRdmMeGZxSEqYoMx
gB3DKaD7MCWvPcNzofeq3HG95YfXiIQMnao4upgQ7uu0dH0YTV+PdZ6GagPkfc/g
369htxNb499/4Jfx4Em61AWlIArXmNUVPV91NY0SuEhHdNgjPOodgD4xM3ByOehn
sYZzbQ2fKwGXYo4M2Eo6vY3nJWNRoIn36yrUxcGRN3zY18x3uexsY85DaOyOSXNw
B9agzbc/fcUfEELWFPXUohYOKo/MeEAmpPAoKpIhSM9wvncNaPOk3FAeLhQpK3fE
vF05iiDnZ/fyXXLZ/EOPKknTO0MAsayhbIcSCRwFLLSFIT/oloNUmDH6CAS7S1D7
Y2z5Nhu6FRnsXVQnW0Zhpb6ylLSVlSGhY7o6LVnrNsxLJbwxD7Lf5BlYJJCNXq/e
Vgm3z0fFx5yc2lVqHaiaNLofzFPcx4pbU92o/WzML7/lXY1+/ipoFAZZj4Rbyfnv
kJPCMTAgwhT+CSJ+IBSolhgcNVavIfje+Po98+lRT4q+Tk76a+/ONdc3++JeCGlr
l6DUHhK7MrZX93Z5WTVx/2/vqMfK5i4PiEaYc4PaXb29TzwONPMLDByp+aa7VsHb
pXRDqAg5xfCnD3onrpLqfLgTZmLvlTFcLoWmZx2Q+/IZuCAikcCdZxHte+EQ0Be9
TnVM67KOhHW/Lk1+euUn
=lKJc
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/security-announce