deadsimple BSD Security Advisories and Announcements

[Security-announce] pfSense-SA-17_06.webgui

Hash: SHA256

pfSense-SA-17_06.webgui                                     Security Advisory

Topic:          Brute force login protection weakness in the WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2016-07-19
Credits:        Security Innovation, Inc
Affects:        pfSense software version <= 2.3.4
Corrected:      2017-07-14 13:55:18 UTC (pfSense/master, pfSense 2.4)
                2017-07-14 13:57:14 UTC (pfSense/RELENG_2_3, pfSense 2.3.5)
                2017-07-14 13:57:16 UTC (pfSense/RELENG_2_3_4, pfSense 2.3.4_x)

0.   Revision History

v1.0  2016-07-19 Initial SA draft

I.   Background

pfSenseĀ® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

Malicious clients attempting to repeatedly authenticate to the pfSense WebGUI
are added to a lockout table which prevents new connections. Existing
connections are not dropped, however, so if a browser or malicious client holds
open an existing connection and continues to send requests, those attempts are
not stopped.

III. Impact

Due to the connections not being dropped, a malicious client can send numerous
brute force login attempts beyond the expected cut-off limit. If firewall
accounts have weak passwords, an attacker could potentially gain access.

This problem does not affect ssh logins in the same way because the ssh daemon
itself will terminate a connection after repeated failures, and due to the
lockout table, a malicious client will not be able to reconnect to send
additional attempts once that happens.

IV.  Workaround

To mitigate the problem on older releases, use one or more of the following:

* Never allow access to firewall management daemons directly from the Internet.
* Use a VPN to access firewall management daemons remotely if needed.
* Use firewall rules to block access to firewall management daemons from non-
  management networks.
* Prevent local users on non-management networks from reaching firewall
  management daemons.

V.   Solution

Upgrade to pfSense software version 2.3.4-p1 or a later version. This upgrade
may be performed in the web interface or from the console.


VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     cc9b0f76da4936ac7510eee6cb5e0574d11b5973
pfSense/RELENG_2_3                 f0da1eda7c38c18202cc0563fd1c83c20a05e2b2
pfSense/RELENG_2_3_4               7505efe78431c4415dfd49d30c6035caf511b460
- - -------------------------------------------------------------------------

VII. References


The latest revision of this advisory is available at
Version: GnuPG v2

Security-announce mailing list