[Security-announce] pfSense-SA-18_01.packages
29 March, 2018 by security@pfsense.org | pfsense
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ============================================================================= pfSense-SA-18_01.packages Security Advisory pfSense Topic: XSS vulnerability in Status Monitoring base package Category: pfSense Base Packages Module: Status_Monitoring Announced: 2018-01-12 Credits: Cody Sixteen Affects: Status_Monitoring base package < 1.6.5 and 1.7.x < 1.7.6 Corrected: 2018-01-10 21:02:46 UTC FreeBSD-ports/devel, v1.7.6 for pfSense 2.4.3 snapshots 2018-01-10 21:02:46 UTC FreeBSD-ports/RELENG_2_4_1, v1.7.6 for pfSense 2.4.2-RELEASE-p1 2018-01-10 21:31:18 UTC FreeBSD-ports/RELENG_2_3, v1.6.5 for pfSense 2.3.6 snapshots 2018-01-10 21:31:18 UTC FreeBSD-ports/RELENG_2_3_5, v1.6.5 for pfSense 2.3.5-RELEASE-p1 0. Revision History v1.0 2018-01-12 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A Cross-Site Scripting (XSS) vulnerability was found in the 'left' and 'right' parameters of rrd_fetch_json.php and subsequent output on status_monitoring.php which are a part of the Status_Monitoring package included in the base installation of pfSense software. If a malicious client POSTs a 'right' or 'left' parameter to rrd_fetch_json.php containing HTML, it is passed back to the client without encoding. Additionally, status_monitoring.php displays the errors from rrd_fetch_json.php without encoding. III. Impact Due to the lack of proper encoding on the affected variable susceptible to XSS, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session may be compromised. IV. Workaround No workaround. V. Solution Upgrade to pfSense software version 2.4.3-RELEASE or another corrected version. This upgrade may be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide Rather than a full upgrade, the Status_Monitoring package may be upgraded on its own without performing a full upgrade. Run the following commands at a shell prompt as root (directly or using sudo): pkg update -f pkg upgrade -y pfSense-Status_Monitoring No reboot is required after performing the manual package update. VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - - ------------------------------------------------------------------------- FreeBSD-ports/devel 795d66877be73bd2d111ccc79f9ad0f5a8467de7 FreeBSD-ports/RELENG_2_4_2 350da5e82523165e11344f98b7566c4233b5338b FreeBSD-ports/RELENG_2_3 054317c3e0188b2006d6bd2fb1c5998405e53ec1 833d2d2ef2bca9109624fcce03ef7d4e265ca86e FreeBSD-ports/RELENG_2_3_5 40e2e568226f8e72d5b359575fb38d90a7e1a431 9d6359520574022365a9294bf2bfa47a2a2d0c20 - - - ------------------------------------------------------------------------- VII. References <URL:https://doc.pfsense.org/index.php/Upgrade_Guide> The latest revision of this advisory is available at <URL:https://pfsense.org/security/advisories/pfSense-SA-18_01.webgui.asc> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJaWMsyAAoJEBO5h/2SFPjasrIP/2yeo1KdhXM4GM8MHcAuC13p miKSRcXGABT+RBaQFuuSF5boH5qwuM6StujetSS7sV2QKPkHKhycduGzqS3a8irf Q1yk30srgdJzzgrVWJeZmEGBTx9x+/6r+UmjNXm3EI10pAEs/CwHaUeWEDYgNZRG l37fAsVYfbZ+THZRPHeZN4ci2w42d1AtJ3QWkFKe3UcE7zLsfGvPBkZH4FKYDnfu dQa1CDMW2iW1JKRZdYoMERRR+15eW8XP1ScBdscFZlPtrOY6hjnsiajutO23TUV1 7teQ2YLnLB1w7p7rDvZylbsLJg3d4+tEP5iIVcIZt+26KH56/5rZdt4aFmanbRyw eTkTE3oAtiYpjBSEdz//Tt8hE9/rv5JBtdpTxCtMu1s+YNv+6zLXDj3jOOc1rm8m ogZJUrxLN3EfOU0vPlezKOtsqdptz5GG6IYYt1gx+v4Jelr90yQM5VYBXfWzlYFJ gsyYdc2njc0n6vfNZjvVJ4yptNcsaPY5nNBcWbTU6kU+yruptU29kz6lHaXnAMVq NtA72hanQxMhvpP9FCQ/UkmfFr3//arrGDNnR9DIRAutDFpSyGQmun0ab2cLxnNf HJ9/t0fz+ajw2oUjrBTuxdpU+OIq3CbP7f4FuJ1YkiAaOB9KKiN3qsQkf0Iq1px0 JewysDWuqtCLPZHimkQk =QRqu -----END PGP SIGNATURE----- _______________________________________________ Security-announce mailing list Security-announce@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/security-announce