[Security-announce] pfSense-SA-18_02.webgui [UPDATED]
14 May, 2018 by security@pfsense.org | pfsense
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ============================================================================= pfSense-SA-18_02.webgui Security Advisory pfSense Topic: XSS vulnerability in the WebGUI Category: pfSense Base System Module: webgui Announced: 2018-01-29 Credits: Tsubasa Iinuma (@llamakko_cafe) of Gehirn Inc. Affects: pfSense software version 2.3.x <= 2.3.5-p1, 2.4.x <= 2.4.2-p1 Corrected: 2018-01-29 17:24:25 UTC (pfSense/master, pfSense 2.4.3) 2018-01-29 17:24:25 UTC (pfSense/RELENG_2_4_2, pfSense 2.4.2_x) 2018-01-29 17:24:25 UTC (pfSense/RELENG_2_3, pfSense 2.3.x) 2018-01-29 17:24:25 UTC (pfSense/RELENG_2_3_5, pfSense 2.3.5_x) 0. Revision History v1.0 2018-01-29 Initial SA draft v1.1 2018-05-02 Added 2.3.5_2 version information and fixed year in correction timestamps. I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A Cross-Site Scripting (XSS) vulnerability was found in diag_system_activity.php, a part of the pfSense software WebGUI, on version 2.3.5-p1 and earlier (2.3.x branch) and on version 2.4.2-p1 and earlier (2.4.x branch). On diag_system_activity.php, the output of the "top" command was printed to the user without encoding, which could be used as an XSS vector. III. Impact Due to the lack of proper encoding on the affected output susceptible to XSS, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session may be compromised. Exploiting this requires that the attacker already have sufficient access to the firewall to run arbitrary processes at the command prompt (console or ssh) or via diag_command.php, which makes this attack impractical, but the possibility remains that such a process could be triggered by other means. IV. Workaround No workaround. To help mitigate the problem on older releases, use one or more of the following: * Limit access to the affected pages to trusted administrators only. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users of pfSense 2.4.x can upgrade to version 2.4.3 or later. This upgrade may be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide Users running pfSense 2.3.x can upgrade to version 2.3.5_2. See https://www.netgate.com/blog/pfsense-2-3-5-release-now-available.html for special instructions on using the 2.3.x legacy Security/Errata branch. VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master c083e1e49af4902d15173d412feebd8b86a616ee pfSense/RELENG_2_4_2 bd866431ba009f0ffbb0cad18e156dfd3017dbb7 pfSense/RELENG_2_3 834ac053f1df4effcb70aa82bef780e7a8499e26 pfSense/RELENG_2_3_5 51992270b53084fdf0a2febf2fa3cf823b8357ed - - ------------------------------------------------------------------------- VII. References <URL:https://doc.pfsense.org/index.php/Upgrade_Guide> The latest revision of this advisory is available at <URL:https://pfsense.org/security/advisories/pfSense-SA-18_02.webgui.asc> -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJa6h2vAAoJEBO5h/2SFPjang4QAJGXHypZB7foYhw87Korn+JF vHlzM1a1LwjSvSKJ2yAGqbL7n8QG6lkv7ctVxDfXLx/iDoiFygAAS3vNydNGbCn/ 3uvIfyWCaD1nD+BiXczZyB8rqCdUPO6Pvnv64oXTRH0Kd1YFYKReWPnid0cW8VAe 4eMmRDZLolYbjNxJhEogwLg5EdGFE8KnPkT18wzWZfkLKLOuN5m7m3GJ5WZo7kfD PdGOtKA5MGKD7yIlmt1NQyhTjhsxtvrMGFp9cjtQHa0kE3Q78hZij8OzTIivJRPQ OPFdoHHriSBy5RnCwyMKd7NZdenCfTmiu93EFSMsBiCXa8b7/35PPs1hBjEVPFyo h7foeRblHFRRejrH5EVXDNU5288Lg79Wds+Jn210yTqMxzuDqaqowgkqkUuSb+e2 qdms7lQ/fWKN1+uiMHNB76AawwMChcHZ3YyBpybnq8lVJ6sufZpSSqWjxyMxQlIv Xrcrt99laV57A2pqPanSg1ATBNS8vNNR5Y5Lyurz4d9PgaofA9YLXq6C6BPcDgJz 4Md+re7sKz8hSj8WXvZRBGdyeTaTsMYENjNGnz9nbqD+2VMeTACfHt9dJVYZl2PU ABJVc7n0Ju5s4QvYIiK90H51yG0nX0ynRPDO2jUeq9ZF2+Ca02iIKoOU2hT+ZGPS sbKD15C1A2Yg1lYleLM8 =3MyZ -----END PGP SIGNATURE----- _______________________________________________ Security-announce mailing list Security-announce@lists.pfsense.org https://lists.pfsense.org/mailman/listinfo/security-announce