[Security-announce] pfSense-SA-16_07.webgui
16 June, 2016 by cmb@pfsense.com | pfsense
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
pfSense-SA-16_07.webgui Security Advisory
pfSense
Topic: Arbitrary Code Execution
Category: pfSense Base System
Module: webgui
Announced: 2016-06-09
Credits: Patrick Ungeheuer
Affects: pfSense <= 2.3.1_1
Corrected: 2016-06-08 23:02:26 UTC (pfSense/master, pfSense 2.4)
2016-06-08 22:50:12 UTC (pfSense/RELENG_2_3, pfSense 2.3.x)
2016-06-08 23:03:52 UTC (pfSense/RELENG_2_3_1, pfSense 2.3.1_x)
0. Revision History
v1.0 2016-06-09 Initial release
I. Background
The pfSense® system is a free network firewall distribution based on the
FreeBSD operating system. The pfSense system includes third-party free software
packages for additional functionality, and provides most of the functionality
of common commercial firewalls.
The majority of users of pfSense software have never installed or used a stock
FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge. The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.
II. Problem Description
A command-injection vulnerability exists in pkg_mgr_install.php using the 'id'
parameter. This allows an authenticated WebGUI user with privileges for
pkg_mgr_install.php to execute commands in the context of the root user.
III. Impact
A user on pfSense version 2.3.1_1 or earlier, granted limited access to the
pfSense web configurator GUI including access to pkg_mgr_install.php could
leverage these vulnerabilities to gain increased privileges, read other files,
execute commands, or perform other alterations.
Some characters, such as '/' and '-' were filtered, which limits the number of
commands which could be executed using this vulnerability.
This is not relevant for admin-level users as there are other deliberate means
by which an administrator could run commands.
IV. Workaround
The issue can be mitigated by restricting access to the firewall GUI both with
firewall rules and by not allowing untrusted users to have accounts with GUI
access, and by not granting untrusted administrators access to the pages in
question.
V. Solution
Upgrade to pfSense 2.3.1_2. This may be performed in the web interface or from
the console.
See https://doc.pfsense.org/index.php/Upgrade_Guide
VI. Correction details
The following list contains the correction revision numbers for each
affected item.
Branch/path Revision
- - -------------------------------------------------------------------------
pfSense/master 56218db2d33edb4280c88f1688c07e9d02ce6546
d85e29b74bda133a0704bd7ee9fb493dc7095268
ddbe2c0cd9d283d8f6ecc65ffbdc5417f66d63b7
af0a2a755f31e38cc7f92e11f35c77f4b202fe36
5b216d25f9db6e4b07a7ccd0a664de46038a6175
5fd5f7e78d671963672fd813182a3f2aefad3bbc
a915cb4cbef79a9197e2007326ba8f83fa101f12
c078dd89d4ec787e9e4d17123274072fbb1f9e0d
756ef4dfff6ddedfc5d6dc462b76192858c22d03
pfSense/RELENG_2_3 3b5af71265548616dcd96ce5f2c5346c007c61c1
689c4eb8271c38d03de6f4d556dc21ec4e48924d
a42bea4a2cfc8b5792ebbc208c6b8237c342d05c
12e90cdca643cb48de1cc386d7a575480ca08b69
a6885d24c9b75a76a4d165c62b7d6c820a00a98a
88689d028924a2eb1c923a70d5460ad35ed9c7c1
0067c9a75095d9010d47b580f2798dc3029c7add
1a6fc86d35b7d9d43d79a0125980ac83f6232fa0
c87deb1ab570ef0488e01a0ea29b01146c0d7758
pfSense/RELENG_2_3_1 7e1f301e21ebbf86b119a4b32ef72d2059cde961
d38ccd2bc5df7403a32ab0dc87741838c0f8c587
b926fb222ccbea2948c1ef89b110366d6a469449
6f5cef535fbddafcc8cc60b810b5854bf43c55e2
8b769240b4ed2991a58702c86706814079d2bc08
3187d056a2175180b4d22d0502a3ac2c0c1c37ae
1cdaa0dd5654edd3979163010f4e78756b2d9da9
78fd804cb8496acd6a08245627b5a682a3e280cd
9fd4b658857a14cfddf25141acaac89a4d6e9927
- - -------------------------------------------------------------------------
VII. References
<URL:https://doc.pfsense.org/index.php/Upgrade_Guide>
The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-16_07.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJXWczhAAoJEBO5h/2SFPjaTj8P/jZIaf23RFCI8av3As8U31rX
waEcVHKL4cfwnBnA/tKHUMJ9XqESKIRVpoHpSwEbcZ3B4NEf8KQjMgVeAIBWiEyK
x17uWqcgysmJzrf/6j0uMT89S0SJ4p3iB8+V9k0DW+xqbLNIkXuw3ZlfhAq7EkHM
gFont7LVjkZQGeQ4phZEvev/vGAF7RPlqpXjj1HXGIygH3GykryVkLP5w0lmNH2W
aHpDVQTufQBN8Aqus/cZLToBWqawX38BNSlO1K6l0WfUxQUxYVaZBD1aRts6PadJ
YaeQRxm/vdwSnGDyUGnK7fzNOMNYgjcBiwtBbccjxCbN0/44VrQqaSlZN+qdFkGl
c7h7cDF7k/SsimvWNXCjwttlnGidGaYnq+h85BVL4IHY8JbemsICnb6wRsUzh5Gi
foFHs2H9LWPGpramu3oDPdReTaMeGLFLVahQsTcTCBn99G29TWKenPqpnwhG9htk
TVOKSgCxO2jQPzzdwlsH6S1ZBI8D50jLtP1Wc2LMi7Hr2iF/B0CULdQMrDzUKHkz
TopxJ2c7iOGbq6BMyII3PA/9cGes53ap9hZaks3Hnmyzqqgfm+2o4+L1FphO8uKU
4Z5NGMAnsPhVj1k4jufug1K1Am0OtakzEX4fV29+a5W8ciE01Bks6ieHEAt6BhPm
J17n99N76MIwhTY4PRbe
=PZqp
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/security-announce