[Security-announce] pfSense-SA-16_08.webgui
16 June, 2016 by cmb@pfsense.com | pfsense
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= pfSense-SA-16_08.webgui Security Advisory pfSense Topic: Arbitrary Code Execution Category: pfSense Base System Module: webgui Announced: 2016-06-09 Credits: Scott White (s4squatch) - TrustedSec www.trustedsec.com Affects: pfSense <= 2.3.1_1 Corrected: 2016-06-09 20:08:22 UTC (pfSense/master, pfSense 2.4) 2016-06-09 20:05:40 UTC (pfSense/RELENG_2_3, pfSense 2.3.x) 2016-06-09 20:06:33 UTC (pfSense/RELENG_2_3_1, pfSense 2.3.1_x) 0. Revision History v1.0 2016-06-09 Initial release I. Background The pfSense® system is a free network firewall distribution based on the FreeBSD operating system. The pfSense system includes third-party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A command-injection vulnerability exists in auth.inc via system_groupmanager.php using the 'members' parameter. This allows an authenticated WebGUI user with privileges for system_groupmanager.php to execute commands in the context of the root user. III. Impact A user on pfSense version 2.3.1_1 or earlier, granted limited access to the pfSense web configurator GUI including access to system_groupmanager.php could leverage these vulnerabilities to gain increased privileges, read other files, execute commands, or perform other alterations. Note users with access to the group manager almost always have full admin rights, and can grant themselves such rights if they do not already have them. This is not relevant for admin-level users as there are other deliberate means by which an administrator could run commands. IV. Workaround The issues can be mitigated by restricting access to the firewall GUI both with firewall rules and by not allowing untrusted users to have accounts with GUI access, and by not granting untrusted administrators access to the pages in question. V. Solution Upgrade to pfSense 2.3.1_1. This may be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master 5bef24071ac954b903f5bfb3e34590c485baf68e e63321a5e9dd0d0224a8ebd7626b65a63fa153bf 0a39f78f5b900abfd00d71072f77d7862a41027b 4bf17edc2f5f44f5fe1ac53494bc7a2d6effaff7 pfSense/RELENG_2_3 9630ba1faf3945097756f090ee8224edaef0e768 b2267ff9d2f1df9dbe1603276c7c67b1ec7ee324 1929acf18ff249f76ef00d2bfacd772397d01634 pfSense/RELENG_2_3_1 2095e91fa7985da8f86df4a9e6d8f58cc1088487 6314397f65d1620228599591942054c3704149d6 34bc249ff83cac9df8d7f515a52cc67b04dc38fe - - ------------------------------------------------------------------------- VII. References <URL:https://doc.pfsense.org/index.php/Upgrade_Guide> The latest revision of this advisory is available at <URL:https://pfsense.org/security/advisories/pfSense-SA-16_08.webgui.asc> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJXYuM8AAoJEBO5h/2SFPja7GoQALcEWnncnKnnhYbRkAW0SFn/ MTDT9w63kzqIgxGn4LVX/Ck/jxsnlPnSJwKgQArZe+Oi7Um2HidypG4UavL/IFrn h63LmkxG8xTPm3fCDVH1vZuwG5t7b4etFTiZDMnnI9mLBVMm9SnSBow+Rq2+aa4Z iblt/G+6/VeJYK1oC/KPiVb4PEK3pT1ci+0bD2Gkc0/a+m1NClWCZe3uMCp6MrNg hTLvNnqK2w9H/jnwQRNBzngrllQNG0PH26Zjj97gl1RERRcsdLwfFyldHAfuChOi aJcJVJFZv91FA8tBfM+e9eT01OlaowjaMEQicv2cdhnATbDqZRHBJMUgmIR6L3Pk mP6RThy8PO6h/T8YZDyEKGYbl7we5oGFKizMEwb1bXDyTSgWvxmz/QCOpfHRATJH Oxca8TkFP3P8DyqAgAuPYaccHH7Qh69z7MroZvaogWpoE/xV3d8YwWK3Qg2mzVZo E2E2c/tNK5Wj5kF78TpaBCMaAbcXXcm2bfIJ4z35Qg3+twpLN3JK/gydPFfMyRlz uLG65AuG7BBNMJNCdg7jwDB9ytBDSNcBmr8jNg0qCbBlIefKaql9GTiBhaed4h01 A21NWIuO9r9g9LJ3o8vcL3VDufc92hJlFNck0H6T0cXAZu0LxGbWByCP8m0J/rmD A5vrVVhOZuzV+S35etRC =Vagq -----END PGP SIGNATURE----- _______________________________________________ Security-announce mailing list Security-announce@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/security-announce