-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= pfSense-SA-14:01.snort Security Advisory pfSense Topic: Privilege Escalation in Snort pfSense Package Category: packages Module: snort Announced: 2014-02-11 Credits: Pichaya Morimoto/Longcat Affects: Snort package version <= 2.9.5.5 pkg v.3.0.2 Corrected: 2014-01-28 16:38:05 UTC Snort package version 2.9.5.5 pkg v.3.0.3) pfsense/packages git commit 6857ff8505977e8898b93c28c394d73ffb167087 CVE Name: Pending I. Background pfSense is a free network firewall distribution, based on the FreeBSD operating system with a custom kernel and including third party free software packages for additional functionality. pfSense provides most of the functionality of common commercial firewalls, and many times more. pfSense includes a web interface for the configuration of all included components. Knowledge of FreeBSD is absolutely not necessary. Unlike some similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge, no need to use the command line for anything, and no need to ever manually edit any rule sets. In fact, the majority of pfSense users have never installed or used a stock FreeBSD system. Users familiar with commercial firewalls catch on to the web interface quickly, though there can be a learning curve for users not familiar with commercial-grade firewalls. Snort is an open source network intrusion prevention and detection system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based inspection. II. Problem Description Input submitted using the "logfile" GET parameter was not properly validated in config/snort/snort_log_view.php. The lack of validation could be exploited to disclose the contents of arbitrary files via directory traversal, include arbitrary files, or gain elevated privileges. III. Impact A user granted limited access to the pfSense web configurator GUI, including access to the snort package, could leverage this vulnerability to gain increased privileges, read other files, execute PHP code, or perform other alterations. IV. Workaround The issues can be mitigated by restricting access to the firewall GUI both with firewall rules and by not allowing untrusted users to have accounts with GUI access. V. Solution Perform one of the following: 1) Upgrade the Snort package to the current version, 3.0.3. This can be performed in the web interface by navigating to System > Packages, on the Installed Packages tab. Find the entry for Snort, and click the "pkg" button on its row. Confirm the reinstall, and the package will update itself. 2) To update your vulnerable system via a source code patch: Manually make the change to /usr/local/www/snort/snort_log_view.php from https://github.com/pfsense/pfsense-packages/commit/6857ff8505977e8898b93c28c394d73ffb167087 3) Download a copy of the corrected file from a shell prompt (ssh or serial/vga console, option 8) fetch -o /usr/local/www/snort/snort_log_view.php \ https://raw2.github.com/pfsense/pfsense-packages/6857ff8505977e8898b93c28c394d73ffb167087/config/snort/snort_log_view.php VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- packages/master/ 6857ff8505977e8898b93c28c394d73ffb167087 - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTYk+8AAoJEBO5h/2SFPjagMUP/A0NuebyE1uO92kDqsrBHz24 sKgMP4WPU8rd4DHnrfjHLXcm+KVTW+2tIeFZesQkiPV6lx4yFsj0JGOs9Mq0UAnP TWHkOFMX9/BWyJZPj5iIvFlmW3nfppa3DuVSAKMPKaGVSueXWR+4JVyzMux0Grbz uL6S/3crEBrK6nipW+NuHBC/NS5gwXtad+gxxbY2mJCOatnjyUswWxfraM3ZHO9B 2qWwJ71gPcm8Jc+YhYBChnyZSLqdVHbLfjmStZN1ojp+03/GgfxhX82MODFKReBq YZeu0gM7sS8X0W/VtDaxmnvb5DdgSLJOfKRG035G4t9rTXHLMTw5NtT9g1Y63B8t VdQDXlZ33DbYDMGEf9flkYmWL+8LUpJRy+7Dws27eS0fN+3JKPTCml3nZuq0ZBDW civg99d1Qq2EGC3brt/AHYtP2QaCvoLd1Z/frcPfoufY+WuCuRdWTgZpCJsR5xZ/ 1NfLgupG4ldeULzAKXsR+GiIsDFOkfoD30j6FqOY6G4Z8HPzxqKEB1Rx5IyrMqr2 CvtzxwKjByYtJWM0AOmnxo6VjYGqn29CcEbum9F5JfJaGPl1/KrVsGLDhEP2ytCl bffc1ctdH2Vwr/33LzGMT+cItlj651poTiSr1VjWVvq2vZTLjdXKepAlHd+3Wwah JILjiorwrQ7F9Xj7y003 =qYkW -----END PGP SIGNATURE-----