BSDSec

deadsimple BSD Security Advisories and Announcements

[Security-announce] pfSense-SA-16_08.webgui

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
pfSense-SA-16_08.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Arbitrary Code Execution

Category:       pfSense Base System
Module:         webgui
Announced:      2016-06-09
Credits:        Scott White (s4squatch) - TrustedSec www.trustedsec.com
Affects:        pfSense <= 2.3.1_1
Corrected:      2016-06-09 20:08:22 UTC (pfSense/master, pfSense 2.4)
                2016-06-09 20:05:40 UTC (pfSense/RELENG_2_3, pfSense 2.3.x)
                2016-06-09 20:06:33 UTC (pfSense/RELENG_2_3_1, pfSense 2.3.1_x)

0.   Revision History

v1.0  2016-06-09 Initial release

I.   Background

The pfSense® system is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense system includes third-party free software
packages for additional functionality, and provides most of the functionality
of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A command-injection vulnerability exists in auth.inc via system_groupmanager.php
using the 'members' parameter. This allows an authenticated WebGUI user with
privileges for system_groupmanager.php to execute commands in the context of the
root user.

III. Impact

A user on pfSense version 2.3.1_1 or earlier, granted limited access to the
pfSense web configurator GUI including access to system_groupmanager.php could
leverage these vulnerabilities to gain increased privileges, read other files,
execute commands, or perform other alterations.

Note users with access to the group manager almost always have full
admin rights,
and can grant themselves such rights if they do not already have them.

This is not relevant for admin-level users as there are other deliberate means
by which an administrator could run commands.

IV.  Workaround

The issues can be mitigated by restricting access to the firewall GUI both with
firewall rules and by not allowing untrusted users to have accounts with GUI
access, and by not granting untrusted administrators access to the pages in
question.

V.   Solution

Upgrade to pfSense 2.3.1_1. This may be performed in the web interface or from
the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     5bef24071ac954b903f5bfb3e34590c485baf68e
                                   e63321a5e9dd0d0224a8ebd7626b65a63fa153bf
                                   0a39f78f5b900abfd00d71072f77d7862a41027b
                                   4bf17edc2f5f44f5fe1ac53494bc7a2d6effaff7
pfSense/RELENG_2_3                 9630ba1faf3945097756f090ee8224edaef0e768
                                   b2267ff9d2f1df9dbe1603276c7c67b1ec7ee324
                                   1929acf18ff249f76ef00d2bfacd772397d01634
pfSense/RELENG_2_3_1               2095e91fa7985da8f86df4a9e6d8f58cc1088487
                                   6314397f65d1620228599591942054c3704149d6
                                   34bc249ff83cac9df8d7f515a52cc67b04dc38fe
- - -------------------------------------------------------------------------

VII. References

<URL:https://doc.pfsense.org/index.php/Upgrade_Guide>

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-16_08.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJXYuM8AAoJEBO5h/2SFPja7GoQALcEWnncnKnnhYbRkAW0SFn/
MTDT9w63kzqIgxGn4LVX/Ck/jxsnlPnSJwKgQArZe+Oi7Um2HidypG4UavL/IFrn
h63LmkxG8xTPm3fCDVH1vZuwG5t7b4etFTiZDMnnI9mLBVMm9SnSBow+Rq2+aa4Z
iblt/G+6/VeJYK1oC/KPiVb4PEK3pT1ci+0bD2Gkc0/a+m1NClWCZe3uMCp6MrNg
hTLvNnqK2w9H/jnwQRNBzngrllQNG0PH26Zjj97gl1RERRcsdLwfFyldHAfuChOi
aJcJVJFZv91FA8tBfM+e9eT01OlaowjaMEQicv2cdhnATbDqZRHBJMUgmIR6L3Pk
mP6RThy8PO6h/T8YZDyEKGYbl7we5oGFKizMEwb1bXDyTSgWvxmz/QCOpfHRATJH
Oxca8TkFP3P8DyqAgAuPYaccHH7Qh69z7MroZvaogWpoE/xV3d8YwWK3Qg2mzVZo
E2E2c/tNK5Wj5kF78TpaBCMaAbcXXcm2bfIJ4z35Qg3+twpLN3JK/gydPFfMyRlz
uLG65AuG7BBNMJNCdg7jwDB9ytBDSNcBmr8jNg0qCbBlIefKaql9GTiBhaed4h01
A21NWIuO9r9g9LJ3o8vcL3VDufc92hJlFNck0H6T0cXAZu0LxGbWByCP8m0J/rmD
A5vrVVhOZuzV+S35etRC
=Vagq
-----END PGP SIGNATURE-----
_______________________________________________
Security-announce mailing list
Security-announce@lists.pfsense.org
https://lists.pfsense.org/mailman/listinfo/security-announce