BSDSec

deadsimple BSD Security Advisories and Announcements

[Security-announce] pfSense-SA-18_02.webgui

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=============================================================================
pfSense-SA-18_02.webgui                                     Security Advisory
                                                                      pfSense

Topic:          XSS vulnerability in the WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2018-01-29
Credits:        Tsubasa Iinuma (@llamakko_cafe) of Gehirn Inc.
Affects:        pfSense software version 2.3.x <= 2.3.5-p1, 2.4.x <= 2.4.2-p1
Corrected:      2017-01-29 17:24:25 UTC (pfSense/master, pfSense 2.4.3)
                2017-01-29 17:24:25 UTC (pfSense/RELENG_2_4_2, pfSense 2.4.2_x)
                2017-01-29 17:24:25 UTC (pfSense/RELENG_2_3, pfSense 2.3.x)
                2017-01-29 17:24:25 UTC (pfSense/RELENG_2_3_5, pfSense 2.3.5_x)

0.   Revision History

v1.0  2018-01-29 Initial SA draft

I.   Background

pfSenseĀ® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A Cross-Site Scripting (XSS) vulnerability was found in
diag_system_activity.php, a part of the pfSense software WebGUI, on version
2.3.5-p1 and earlier (2.3.x branch) and on version 2.4.2-p1 and earlier (2.4.x
branch).

On diag_system_activity.php, the output of the "top" command was printed to the
user without encoding, which could be used as an XSS vector.

III. Impact

Due to the lack of proper encoding on the affected output susceptible to XSS,
arbitrary JavaScript can be executed in the user's browser. The user's session
cookie or other information from the session may be compromised.

Exploiting this requires that the attacker already have sufficient access to the
firewall to run arbitrary processes at the command prompt (console or ssh) or
via diag_command.php, which makes this attack impractical, but the possibility
remains that such a process could be triggered by other means.

IV.  Workaround

No workaround. To help mitigate the problem on older releases, use one or more
of the following:
* Limit access to the affected pages to trusted administrators only.
* Do not log into the firewall with the same browser used for non-
  administrative web browsing.

V.   Solution

Users of pfSense 2.4.x can upgrade to version 2.4.3 or later. This upgrade may
be performed in the web interface or from the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

Users running pfSense 2.3.x can upgrade to the next available 2.3.x version,
which is still pending.

   See https://www.netgate.com/blog/pfsense-2-3-5-release-now-available.html for
   special instructions on using the 2.3.x legacy Security/Errata branch.

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     c083e1e49af4902d15173d412feebd8b86a616ee
pfSense/RELENG_2_4_2               bd866431ba009f0ffbb0cad18e156dfd3017dbb7
pfSense/RELENG_2_3                 834ac053f1df4effcb70aa82bef780e7a8499e26
pfSense/RELENG_2_3_5               51992270b53084fdf0a2febf2fa3cf823b8357ed
- - -------------------------------------------------------------------------

VII. References

<URL:https://doc.pfsense.org/index.php/Upgrade_Guide>

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-18_02.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJahz4LAAoJEBO5h/2SFPja9dQQAJfstUkOWeS/qeU+rZP5mRtX
klO9Qq6HkYMW3CCosqxF5TKPO4NLcJjmxaIIsEROtXXE7yCnL+kMkArkftWKti7a
VZlxshPWjrw5VYnrf+fDTLrf50ld3HZgSuSAsuuzLzEXLOHBipn29jtiQtWldnGO
cB15QLA/VmUGsSCzUmsNLdKFvHPD6mzZzc1/W/4bBW0SW2iJwPoABl/VzIKnFWBi
9QYigdGP3/us5IzD5sas7pr6AL59F01GudHTROgd0lqEImnrHoWyv6O7EmDOuKwh
EjNksl3kWrnzQ3FXomXEG/BHgOzhYRf8x7nFYuyFWrg7g2riCI4n3QMEU3uqv++P
wcn9sNW9lM90e5RoZjwOSfERBqjRgcXD39kiaat+TosxEqwtMMpX0JyPoDLFmocI
aOuUMuPCipvcB1EyBUOLE3cE3XDIoR68yRVd4KHH/bMzK97euV3+ofM3kfBLHilY
vi5VWVkmrzbwY1A7VW5ikiKGuicAEN1Op2NqdYOCUhlvvTEutzris4ZK9Bj4dN8G
UrtyJqj8efjs+ofRRKrpfO3J9v+rC+fKvjcs63A+WcJgZmPykfMI8+ogpNQ6avMW
mmrPVsD8bquuZgz5mrLzDQosDySnfBfVPirPYuRqTdsVhUeVeLSrT6YcVjqBuEjE
xvw7EvVj3S6Lyp7lYfZO
=LOVl
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/security-announce