[Security-announce] pfSense-SA-16_05.webgui
26 May, 2016 by cmb@pfsense.com | pfsense
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= pfSense-SA-16_05.webgui Security Advisory pfSense Topic: Arbitrary Code Execution Category: pfSense Base System Module: webgui Announced: 2016-05-24 Credits: Patrick Ungeheuer Affects: pfSense <= 2.3.1 Corrected: 2016-05-20 16:13:15 UTC (pfSense/master, pfSense 2.4) 2016-05-20 16:13:49 UTC (pfSense/RELENG_2_3, pfSense 2.3.x) 2016-05-20 16:13:53 UTC (pfSense/RELENG_2_3_1, pfSense 2.3.1_x) 0. Revision History v1.0 2016-05-24 Initial release I. Background The pfSense® system is a free network firewall distribution based on the FreeBSD operating system. The pfSense system includes third-party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description Command-injection vulnerabilities exist in diag_smart.php and diag_routes.php. These allow authenticated WebGUI users with privileges for diag_smart.php or diag_routes.php to execute commands in the context of the root user. III. Impact A user on pfSense version 2.3.1 or earlier, granted limited access to the pfSense web configurator GUI including access to diag_smart.php and diag_routes.php via their associated privileges: "WebCfg - Diagnostics: S.M.A.R.T. Status" and "WebCfg - Diagnostics: Routing Tables" respectively, could leverage these vulnerabilities to gain increased privileges, read other files, execute commands, or perform other alterations. This is not relevant for admin-level users as there are other deliberate means by which an administrator could run commands. IV. Workaround The issues can be mitigated by restricting access to the firewall GUI both with firewall rules and by not allowing untrusted users to have accounts with GUI access, and by not granting untrusted administrators access to the pages in question. V. Solution Upgrade to pfSense 2.3.1_1. This may be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master 335f1a8977cf0f711c712864379773e410e996a5 0e4e4251ebf09937e7069a94f5faef51bbe15fac a3013ca688ce6e8b506fa2a5c6251f77778e39bc pfSense/RELENG_2_3 1e5239d102e75d0df1f7a2e8a9988073f3fbad2f 5c4b89a468f608be63fc9aa05729e4a7f39ccd58 b1952073387c6cd48a32623260285df5d67e11ee pfSense/RELENG_2_3_1 12563b0cb9496cce317f563a60cd7afcba2afd7a 2333d2a48293d4d5ffab335d1904586c69a050ee 94d882a03ddf128f7519e54a6c2322ef812590f2 - - ------------------------------------------------------------------------- VII. References None. The latest revision of this advisory is available at <URL:https://pfsense.org/security/advisories/pfSense-SA-16_05.webgui.asc> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJXRJxEAAoJEBO5h/2SFPja1ogP/2PN42MakS0sbjbjt5F/32dA niljYECal048FJ2T64GAASuTvEZkYgoTxZZTFa8rfWTcLm9evpl2HH41mhwJmR46 YkQZil+w8OUVQA7s4okqdgoNhi0zYszLcob4qEvWD4rTMZ3xg2WtA/JvtXgJtDFi AlkFdNPq6l6/H7NYLqtDIBIVye6PPldSc90kss93vg8G8iPeGUFvoAzbQGrwRhm9 N1fHu0LkLVYAdVQRQSKmmZz5ESGR1b46EJabSrm9Vyka/kTyBV2GQb5fI6vB2ECi 5Lt6xdoEl4/gobRpvNL6PgeS3F3YONgjzEPbJHuxXKYglKx/9kvYN0EOaKd9wKva Pqd2y+ZNi+9f0hDP0yftzVewyoit5zKvMRy0qt8z0TBreP7uUvj9Ygwl1j4HOuGd sDylJQ7J3vZ5BDyjfuUzyspbIh1QT9vTQOROkoM9YmMUdfs4eK3vp7EKD1zN3Y9j nUEQdPzBI9NgewGNj3UrvXA+NTbj2FujYXJIbqsEFPeiIcjwrliCJ6aTM/0XMk+U 9A+l14MwJy8FJuKeLCyBpf+/d5DKBiU0RGZkRFK7bUmXvrMRRnFGzn7QBuZsBa1P f+H728YzljlNiVIQzywTAJVcLZCl8lerfV/G3642NUoonanq/IYz3mlS9iA/8wlR qSc9f6gXETOjq0Gmmd/O =3QBG -----END PGP SIGNATURE----- _______________________________________________ Security-announce mailing list Security-announce@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/security-announce