[Security-announce] pfSense-SA-17_06.webgui
20 July, 2017 by security@pfsense.org | pfsense
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ============================================================================= pfSense-SA-17_06.webgui Security Advisory pfSense Topic: Brute force login protection weakness in the WebGUI Category: pfSense Base System Module: webgui Announced: 2016-07-19 Credits: Security Innovation, Inc Affects: pfSense software version <= 2.3.4 Corrected: 2017-07-14 13:55:18 UTC (pfSense/master, pfSense 2.4) 2017-07-14 13:57:14 UTC (pfSense/RELENG_2_3, pfSense 2.3.5) 2017-07-14 13:57:16 UTC (pfSense/RELENG_2_3_4, pfSense 2.3.4_x) 0. Revision History v1.0 2016-07-19 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description Malicious clients attempting to repeatedly authenticate to the pfSense WebGUI are added to a lockout table which prevents new connections. Existing connections are not dropped, however, so if a browser or malicious client holds open an existing connection and continues to send requests, those attempts are not stopped. III. Impact Due to the connections not being dropped, a malicious client can send numerous brute force login attempts beyond the expected cut-off limit. If firewall accounts have weak passwords, an attacker could potentially gain access. This problem does not affect ssh logins in the same way because the ssh daemon itself will terminate a connection after repeated failures, and due to the lockout table, a malicious client will not be able to reconnect to send additional attempts once that happens. IV. Workaround To mitigate the problem on older releases, use one or more of the following: * Never allow access to firewall management daemons directly from the Internet. * Use a VPN to access firewall management daemons remotely if needed. * Use firewall rules to block access to firewall management daemons from non- management networks. * Prevent local users on non-management networks from reaching firewall management daemons. V. Solution Upgrade to pfSense software version 2.3.4-p1 or a later version. This upgrade may be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master cc9b0f76da4936ac7510eee6cb5e0574d11b5973 pfSense/RELENG_2_3 f0da1eda7c38c18202cc0563fd1c83c20a05e2b2 pfSense/RELENG_2_3_4 7505efe78431c4415dfd49d30c6035caf511b460 - - ------------------------------------------------------------------------- VII. References <URL:https://doc.pfsense.org/index.php/Upgrade_Guide> The latest revision of this advisory is available at <URL:https://pfsense.org/security/advisories/pfSense-SA-17_06.webgui.asc> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJZbmTDAAoJEBO5h/2SFPjazaUP/Ark5B9ANK/e5LKphnVR/11P 2KR38ehbYGQQlAPDZtK9cn+TmzBw74UvLZqufP9Sdgs9tgjXCCcfT6nUs/kbeZhB NmYyXpenNcmrsqcTZaoE5PvaFCyRF1l1ox6FpSJh3G2+Q15xTDpDytve3Jb20t+a uudn7Mvs2qCyDTN2KSxz+zKz6gmMouwiOUskD64QN/jsbsh9w0wReVp1kEIg7nQb dr8/0lZAXA50ZvIopovtpij2Mjrmeax7Mrx46g8u9Psaxe/qwsDtk5sjG0IzBUYq vb/AgIaAWy8ELfoy6x0rT1bpLJ6eGCBKrcLZP0KBF9LakaqOgs/yMdOWuCGHzVz9 XO31z5ZzXn1llR0tmBcUZvVPks+VNGKC3k+6IQk1nwBHplvGZqWDKHWSipkKZ8Ek hL5L3N92+I+V9X304Y64YPVktnKY1/RADTh9H8H6z4H/tfJR03Rj1UoU5lBUeFIq O91uXHl/OerSDMK0sAjFJ0xe/cOzRGpkjzQThpgq4A6JAOiYTH+bnry18pSXphdp 8RsMK7FHth8QW/zcZ6BLysqOX1bD9cT20h26G/ZrJBBlaRJc5T2rXmlEHhjK16SW 2X1i1jtafAXvZ99BXC2Btgk6RMAcxchMCz/3G0R/z1JECWR7YepyBzTNSXyB4eLO j1g1Mt8LMlKgIlggz0qx =lM0/ -----END PGP SIGNATURE----- _______________________________________________ Security-announce mailing list Security-announce@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/security-announce