BSDSec

deadsimple BSD Security Advisories and Announcements

[Security-announce] pfSense-SA-16_07.webgui

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
pfSense-SA-16_07.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Arbitrary Code Execution

Category:       pfSense Base System
Module:         webgui
Announced:      2016-06-09
Credits:        Patrick Ungeheuer
Affects:        pfSense <= 2.3.1_1
Corrected:      2016-06-08 23:02:26 UTC (pfSense/master, pfSense 2.4)
                2016-06-08 22:50:12 UTC (pfSense/RELENG_2_3, pfSense 2.3.x)
                2016-06-08 23:03:52 UTC (pfSense/RELENG_2_3_1, pfSense 2.3.1_x)

0.   Revision History

v1.0  2016-06-09 Initial release

I.   Background

The pfSense® system is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense system includes third-party free software
packages for additional functionality, and provides most of the functionality
of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A command-injection vulnerability exists in pkg_mgr_install.php using the 'id'
parameter. This allows an authenticated WebGUI user with privileges for
pkg_mgr_install.php to execute commands in the context of the root user.

III. Impact

A user on pfSense version 2.3.1_1 or earlier, granted limited access to the
pfSense web configurator GUI including access to pkg_mgr_install.php could
leverage these vulnerabilities to gain increased privileges, read other files,
execute commands, or perform other alterations.

Some characters, such as '/' and '-' were filtered, which limits the number of
commands which could be executed using this vulnerability.

This is not relevant for admin-level users as there are other deliberate means
by which an administrator could run commands.

IV.  Workaround

The issue can be mitigated by restricting access to the firewall GUI both with
firewall rules and by not allowing untrusted users to have accounts with GUI
access, and by not granting untrusted administrators access to the pages in
question.

V.   Solution

Upgrade to pfSense 2.3.1_2. This may be performed in the web interface or from
the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     56218db2d33edb4280c88f1688c07e9d02ce6546
                                   d85e29b74bda133a0704bd7ee9fb493dc7095268
                                   ddbe2c0cd9d283d8f6ecc65ffbdc5417f66d63b7
                                   af0a2a755f31e38cc7f92e11f35c77f4b202fe36
                                   5b216d25f9db6e4b07a7ccd0a664de46038a6175
                                   5fd5f7e78d671963672fd813182a3f2aefad3bbc
                                   a915cb4cbef79a9197e2007326ba8f83fa101f12
                                   c078dd89d4ec787e9e4d17123274072fbb1f9e0d
                                   756ef4dfff6ddedfc5d6dc462b76192858c22d03
pfSense/RELENG_2_3                 3b5af71265548616dcd96ce5f2c5346c007c61c1
                                   689c4eb8271c38d03de6f4d556dc21ec4e48924d
                                   a42bea4a2cfc8b5792ebbc208c6b8237c342d05c
                                   12e90cdca643cb48de1cc386d7a575480ca08b69
                                   a6885d24c9b75a76a4d165c62b7d6c820a00a98a
                                   88689d028924a2eb1c923a70d5460ad35ed9c7c1
                                   0067c9a75095d9010d47b580f2798dc3029c7add
                                   1a6fc86d35b7d9d43d79a0125980ac83f6232fa0
                                   c87deb1ab570ef0488e01a0ea29b01146c0d7758
pfSense/RELENG_2_3_1               7e1f301e21ebbf86b119a4b32ef72d2059cde961
                                   d38ccd2bc5df7403a32ab0dc87741838c0f8c587
                                   b926fb222ccbea2948c1ef89b110366d6a469449
                                   6f5cef535fbddafcc8cc60b810b5854bf43c55e2
                                   8b769240b4ed2991a58702c86706814079d2bc08
                                   3187d056a2175180b4d22d0502a3ac2c0c1c37ae
                                   1cdaa0dd5654edd3979163010f4e78756b2d9da9
                                   78fd804cb8496acd6a08245627b5a682a3e280cd
                                   9fd4b658857a14cfddf25141acaac89a4d6e9927
- - -------------------------------------------------------------------------

VII. References

<URL:https://doc.pfsense.org/index.php/Upgrade_Guide>

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-16_07.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJXWczhAAoJEBO5h/2SFPjaTj8P/jZIaf23RFCI8av3As8U31rX
waEcVHKL4cfwnBnA/tKHUMJ9XqESKIRVpoHpSwEbcZ3B4NEf8KQjMgVeAIBWiEyK
x17uWqcgysmJzrf/6j0uMT89S0SJ4p3iB8+V9k0DW+xqbLNIkXuw3ZlfhAq7EkHM
gFont7LVjkZQGeQ4phZEvev/vGAF7RPlqpXjj1HXGIygH3GykryVkLP5w0lmNH2W
aHpDVQTufQBN8Aqus/cZLToBWqawX38BNSlO1K6l0WfUxQUxYVaZBD1aRts6PadJ
YaeQRxm/vdwSnGDyUGnK7fzNOMNYgjcBiwtBbccjxCbN0/44VrQqaSlZN+qdFkGl
c7h7cDF7k/SsimvWNXCjwttlnGidGaYnq+h85BVL4IHY8JbemsICnb6wRsUzh5Gi
foFHs2H9LWPGpramu3oDPdReTaMeGLFLVahQsTcTCBn99G29TWKenPqpnwhG9htk
TVOKSgCxO2jQPzzdwlsH6S1ZBI8D50jLtP1Wc2LMi7Hr2iF/B0CULdQMrDzUKHkz
TopxJ2c7iOGbq6BMyII3PA/9cGes53ap9hZaks3Hnmyzqqgfm+2o4+L1FphO8uKU
4Z5NGMAnsPhVj1k4jufug1K1Am0OtakzEX4fV29+a5W8ciE01Bks6ieHEAt6BhPm
J17n99N76MIwhTY4PRbe
=PZqp
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/security-announce