[Security-announce] pfSense-SA-17_10.webgui
14 December, 2017 by security@pfsense.org | pfsense
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ============================================================================= pfSense-SA-17_10.webgui Security Advisory pfSense Topic: Arbitrary Code Execution Category: pfSense Base System Module: webgui Announced: 2017-12-04 Credits: Bill Marquette Affects: pfSense software version 2.3.x <= 2.3.5, 2.4.x <= 2.4.2 Corrected: 2017-12-01 17:41:56 UTC (pfSense/master, pfSense 2.4) 2017-12-01 17:43:27 UTC (pfSense/RELENG_2_4_2, pfSense 2.4.2_x) 2017-12-01 17:44:32 UTC (pfSense/RELENG_2_3, pfSense 2.3.x) 2017-12-01 17:44:53 UTC (pfSense/RELENG_2_3_5, pfSense 2.3.5_x) 0. Revision History v1.0 2017-12-04 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description On pfSense 2.4.x, a command-injection vulnerability exists in system_camanager.php and system_certmanager.php via cert_get_publickey() from certs.inc due to its passing user certificate and key input through a shell command pipe This allows an authenticated WebGUI user with privileges for either of the affected pages to execute commands in the context of the root user. A similar issue exists on pfSense 2.3.x in the cert_get_modulus() function from certs.inc, but it is only used on system_certmanager.php. III. Impact A user on version 2.4.2, 2.3.5 or earlier of the pfSense software, granted limited access to the pfSense software WebGUI including access to system_camanager.php (2.4.x) or system_certmanager.php (2.3.x, 2.4.x), could leverage these vulnerabilities to gain increased privileges, read arbitrary files, execute commands, or perform other alterations. This is not relevant for admin-level users as there are other deliberate means by which an administrator could run commands. IV. Workaround The issues can be mitigated by restricting access to the firewall GUI both with firewall rules and by not allowing untrusted users to have accounts with GUI access, and by not granting untrusted administrators access to the pages in question. V. Solution Upgrade to version 2.4.2-p1 or 2.3.5-p1 of the pfSense software, or a later version. This may be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master b6dcbd646feb9c7197b4e94a6031b69c2113d679 pfSense/RELENG_2_4_2 552d77500cf2b6ff97c0ef8057c9a6db8031956b pfSense/RELENG_2_3 6e316e955350ad69d4f86cb332a1a48bfa028e2e pfSense/RELENG_2_3_5 d3e0194e49febdd69a274bdc5bf1bf2f4271fbfd - - ------------------------------------------------------------------------- VII. References <URL:https://doc.pfsense.org/index.php/Upgrade_Guide> The latest revision of this advisory is available at <URL:https://pfsense.org/security/advisories/pfSense-SA-17_10.webgui.asc> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJaMq8LAAoJEBO5h/2SFPja5pcQANLNYI/+bB4c5+sJqei4niwV gmRzBS6+jLMtGcoS2qP7nzQwQkN424K+yje4YJMbv+Wvt/qcq1q50yGfm9JoQ91l Tqya0IWSlKAVwAuHkxbIXprc64Gkc7sQEPmxIjOHJ+0MZZHK1x65711Ur+zarosT Uw8Cc5dPhVEx7zN74imF9CQ0MOsOat6ymNeNpvyV0DU3UHmZA7beM1eUyr7xR+hz 5eebeSGVXosOu49XLcYZOLt5rjx0as0x58nQe2Asl99O37i8pS1UiQCl6eLdRFYG ZOozXFD0+RFOYhOBPZ7VEaasAq9CRfUacv1T+Oi1ccHPyQTodOl75zaydJuRvv9C 2D3oX+eAUMKRLrps3IoUou9bOT2mVLy6HB3T8GsukLEZYdvh9mb8d93lwOk22VDC /i4Yi+B5iejBkkYvkRbLBJchZPXrAXZDE/3MKlobGJFVMeqIAWbVlTs80IN28HGt JhK3eZgGFvXt8sfGJa/9Bu0LU3+ll8ppaSIWrv2F8gp1IrfYBpTsVrIApfWhfmDt VDvaRUqDpP22e9Ngy5IpAVTpqHnP496g67WKKM808pATdWgoeNcslKpVazhGov2r B+bOH4dhWcp6CC1wcru3G/PcSJJxfccMfASWWDaDfSu9pP756jLgQTk9fTJXCyzk t+DY9sVKzzRjxAvOt+QJ =PKtx -----END PGP SIGNATURE----- _______________________________________________ Security-announce mailing list Security-announce@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/security-announce