deadsimple BSD Security Advisories and Announcements

[Security-announce] pfSense-SA-17_10.webgui

Hash: SHA256

pfSense-SA-17_10.webgui                                     Security Advisory

Topic:          Arbitrary Code Execution

Category:       pfSense Base System
Module:         webgui
Announced:      2017-12-04
Credits:        Bill Marquette
Affects:        pfSense software version 2.3.x <= 2.3.5, 2.4.x <= 2.4.2
Corrected:      2017-12-01 17:41:56 UTC (pfSense/master, pfSense 2.4)
                2017-12-01 17:43:27 UTC (pfSense/RELENG_2_4_2, pfSense 2.4.2_x)
                2017-12-01 17:44:32 UTC (pfSense/RELENG_2_3, pfSense 2.3.x)
                2017-12-01 17:44:53 UTC (pfSense/RELENG_2_3_5, pfSense 2.3.5_x)

0.   Revision History

v1.0  2017-12-04 Initial SA draft

I.   Background

pfSenseĀ® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

On pfSense 2.4.x, a command-injection vulnerability exists in
system_camanager.php and system_certmanager.php via cert_get_publickey() from due to its passing user certificate and key input through a shell
command pipe This allows an authenticated WebGUI user with privileges for either
of the affected pages to execute commands in the context of the root user.

A similar issue exists on pfSense 2.3.x in the cert_get_modulus() function from, but it is only used on system_certmanager.php.

III. Impact

A user on version 2.4.2, 2.3.5 or earlier of the pfSense software, granted
limited access to the pfSense software WebGUI including access to
system_camanager.php (2.4.x) or system_certmanager.php (2.3.x, 2.4.x), could
leverage these vulnerabilities to gain increased privileges, read arbitrary
files, execute commands, or perform other alterations.

This is not relevant for admin-level users as there are other deliberate means
by which an administrator could run commands.

IV.  Workaround

The issues can be mitigated by restricting access to the firewall GUI both with
firewall rules and by not allowing untrusted users to have accounts with GUI
access, and by not granting untrusted administrators access to the pages in

V.   Solution

Upgrade to version 2.4.2-p1 or 2.3.5-p1 of the pfSense software, or a later
version. This may be performed in the web interface or from the console.


VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     b6dcbd646feb9c7197b4e94a6031b69c2113d679
pfSense/RELENG_2_4_2               552d77500cf2b6ff97c0ef8057c9a6db8031956b
pfSense/RELENG_2_3                 6e316e955350ad69d4f86cb332a1a48bfa028e2e
pfSense/RELENG_2_3_5               d3e0194e49febdd69a274bdc5bf1bf2f4271fbfd
- - -------------------------------------------------------------------------

VII. References


The latest revision of this advisory is available at
Version: GnuPG v2

Security-announce mailing list