[Security-announce] pfSense-SA-16_05.webgui
26 May, 2016 by cmb@pfsense.com | pfsense
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
pfSense-SA-16_05.webgui Security Advisory
pfSense
Topic: Arbitrary Code Execution
Category: pfSense Base System
Module: webgui
Announced: 2016-05-24
Credits: Patrick Ungeheuer
Affects: pfSense <= 2.3.1
Corrected: 2016-05-20 16:13:15 UTC (pfSense/master, pfSense 2.4)
2016-05-20 16:13:49 UTC (pfSense/RELENG_2_3, pfSense 2.3.x)
2016-05-20 16:13:53 UTC (pfSense/RELENG_2_3_1, pfSense 2.3.1_x)
0. Revision History
v1.0 2016-05-24 Initial release
I. Background
The pfSense® system is a free network firewall distribution based on the
FreeBSD operating system. The pfSense system includes third-party free software
packages for additional functionality, and provides most of the functionality
of common commercial firewalls.
The majority of users of pfSense software have never installed or used a stock
FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge. The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.
II. Problem Description
Command-injection vulnerabilities exist in diag_smart.php and diag_routes.php.
These allow authenticated WebGUI users with privileges for diag_smart.php or
diag_routes.php to execute commands in the context of the root user.
III. Impact
A user on pfSense version 2.3.1 or earlier, granted limited access to the
pfSense web configurator GUI including access to diag_smart.php and
diag_routes.php via their associated privileges: "WebCfg - Diagnostics:
S.M.A.R.T. Status" and "WebCfg - Diagnostics: Routing Tables" respectively,
could leverage these vulnerabilities to gain increased privileges, read other
files, execute commands, or perform other alterations.
This is not relevant for admin-level users as there are other deliberate means
by which an administrator could run commands.
IV. Workaround
The issues can be mitigated by restricting access to the firewall GUI both with
firewall rules and by not allowing untrusted users to have accounts with GUI
access, and by not granting untrusted administrators access to the pages in
question.
V. Solution
Upgrade to pfSense 2.3.1_1. This may be performed in the web interface
or from the
console.
See https://doc.pfsense.org/index.php/Upgrade_Guide
VI. Correction details
The following list contains the correction revision numbers for each
affected item.
Branch/path Revision
- - -------------------------------------------------------------------------
pfSense/master 335f1a8977cf0f711c712864379773e410e996a5
0e4e4251ebf09937e7069a94f5faef51bbe15fac
a3013ca688ce6e8b506fa2a5c6251f77778e39bc
pfSense/RELENG_2_3 1e5239d102e75d0df1f7a2e8a9988073f3fbad2f
5c4b89a468f608be63fc9aa05729e4a7f39ccd58
b1952073387c6cd48a32623260285df5d67e11ee
pfSense/RELENG_2_3_1 12563b0cb9496cce317f563a60cd7afcba2afd7a
2333d2a48293d4d5ffab335d1904586c69a050ee
94d882a03ddf128f7519e54a6c2322ef812590f2
- - -------------------------------------------------------------------------
VII. References
None.
The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-16_05.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJXRJxEAAoJEBO5h/2SFPja1ogP/2PN42MakS0sbjbjt5F/32dA
niljYECal048FJ2T64GAASuTvEZkYgoTxZZTFa8rfWTcLm9evpl2HH41mhwJmR46
YkQZil+w8OUVQA7s4okqdgoNhi0zYszLcob4qEvWD4rTMZ3xg2WtA/JvtXgJtDFi
AlkFdNPq6l6/H7NYLqtDIBIVye6PPldSc90kss93vg8G8iPeGUFvoAzbQGrwRhm9
N1fHu0LkLVYAdVQRQSKmmZz5ESGR1b46EJabSrm9Vyka/kTyBV2GQb5fI6vB2ECi
5Lt6xdoEl4/gobRpvNL6PgeS3F3YONgjzEPbJHuxXKYglKx/9kvYN0EOaKd9wKva
Pqd2y+ZNi+9f0hDP0yftzVewyoit5zKvMRy0qt8z0TBreP7uUvj9Ygwl1j4HOuGd
sDylJQ7J3vZ5BDyjfuUzyspbIh1QT9vTQOROkoM9YmMUdfs4eK3vp7EKD1zN3Y9j
nUEQdPzBI9NgewGNj3UrvXA+NTbj2FujYXJIbqsEFPeiIcjwrliCJ6aTM/0XMk+U
9A+l14MwJy8FJuKeLCyBpf+/d5DKBiU0RGZkRFK7bUmXvrMRRnFGzn7QBuZsBa1P
f+H728YzljlNiVIQzywTAJVcLZCl8lerfV/G3642NUoonanq/IYz3mlS9iA/8wlR
qSc9f6gXETOjq0Gmmd/O
=3QBG
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/security-announce