deadsimple BSD Security Advisories and Announcements

[Security-announce] pfSense-SA-17_07.packages

Hash: SHA256

pfSense-SA-17_07.packages                                   Security Advisory

Topic:          XSS vulnerability in Status Monitoring base package

Category:       pfSense Base Packages
Module:         Status_Monitoring
Announced:      2017-09-19
Credits:        Mohammed Latifi - Servonet S.n.c -
Affects:        Status_Monitoring base package < 1.6.2 and 1.7.x < 1.7.2
Corrected:      2017-09-19 14:46:00 UTC
                   FreeBSD-ports/devel, v1.7.2 for pfSense 2.4.1 snapshots
                2017-09-19 14:46:22 UTC
                   FreeBSD-ports/RELENG_2_4_0, v1.7.2 for pfSense 2.4-RELEASE
                2017-09-19 14:48:10 UTC
                   FreeBSD-ports/RELENG_2_3, v1.6.2 for pfSense 2.3.5 snapshots
                2017-09-19 14:48:25 UTC
                   FreeBSD-ports/RELENG_2_3_4, v1.6.2 for pfSense 2.3.4_x

0.   Revision History

v1.0  2017-09-19 Initial SA draft

I.   Background

pfSenseĀ® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A Cross-Site Scripting (XSS) vulnerability was found in the 'view' parameter of
status_monitoring.php which is a part of the Status_Monitoring package included
in the base installation of pfSense software.

If a malicious client submits a 'view' parameter containing HTML, it is
displayed to the user viewing status_monitoring.php without encoding.

III. Impact

Due to the lack of proper encoding on the affected variable susceptible to XSS,
arbitrary JavaScript can be executed in the user's browser. The user's session
cookie or other information from the session may be compromised.

IV.  Workaround

No workaround.

V.   Solution

Upgrade to pfSense software version 2.4-RELEASE or another corrected version.
This upgrade may be performed in the web interface or from the console.


Rather than a full upgrade, the Status_Monitoring package may be upgraded on
its own without performing a full upgrade. Run the following commands at a
shell prompt as root (directly or using sudo):

  pkg update -f
  pkg upgrade -y pfSense-Status_Monitoring

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
FreeBSD-ports/devel                f044c1e4e3f647028c57ae1a572dc6377e555ff3
FreeBSD-ports/RELENG_2_4_0         c919d10d1194da689a18905801bfe86ceef82230
FreeBSD-ports/RELENG_2_3           0db1ce65a93b063c268aaed477252197d566da03
FreeBSD-ports/RELENG_2_3_4         c3c919d640ff0a7319b8f080184bb90dabc7807e
- - -------------------------------------------------------------------------

VII. References


The latest revision of this advisory is available at
Version: GnuPG v2

Security-announce mailing list