-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= pfSense-SA-14:02.webgui Security Advisory pfSense Topic: Arbitrary Code Execution Category: pfSense Base System Module: webgui Announced: 2014-02-11 Credits: Ken Johnson/Telus Affects: pfSense <= 2.1 Corrected: 2014-02-04 14:34:42 UTC (pfsense/master) 2014-02-04 14:47:20 UTC (pfsense/RELENG_2_1, pfSense 2.1.1) CVE Name: Pending I. Background pfSense is a free network firewall distribution, based on the FreeBSD operating system with a custom kernel and including third party free software packages for additional functionality. pfSense provides most of the functionality of common commercial firewalls, and many times more. pfSense includes a web interface for the configuration of all included components. Knowledge of FreeBSD is absolutely not necessary. Unlike some similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge, no need to use the command line for anything, and no need to ever manually edit any rule sets. In fact, the majority of pfSense users have never installed or used a stock FreeBSD system. Users familiar with commercial firewalls catch on to the web interface quickly, though there can be a learning curve for users not familiar with commercial-grade firewalls. II. Problem Description A command-injection vulnerability exists in firewall_aliases_edit.php. This allows authenticated WebGUI users with privileges for firewall_aliases_edit.php to execute commands in the context of the root user. III. Impact A user granted limited access to the pfSense web configurator GUI including access to firewall_aliases_edit.php via the "WebCfg - Firewall: Alias: Edit page" permission, could leverage this vulnerability to gain increased privileges, read other files, execute commands, or perform other alterations. This is not relevant for admin-level users as there are other deliberate means by which an administrator could run commands. IV. Workaround The issues can be mitigated by restricting access to the firewall GUI both with firewall rules and by not allowing untrusted users to have accounts with GUI access. V. Solution Perform one of the following: 1) Upgrade to pfSense 2.1.1 upon its release. This can be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide 2) To update your vulnerable system via a source code patch: Manually make the change to /usr/local/www/firewall_aliases_edit.php from https://github.com/pfsense/pfsense/commit/1eb03024fe15fcd8cdd20f32a9ba7c7f1fb75821 VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master d31ca3363dcb7b243f71118744123a5ba71665cb pfSense/RELENG_2_1 1eb03024fe15fcd8cdd20f32a9ba7c7f1fb75821 - - ------------------------------------------------------------------------- VII. References None. The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTYk/HAAoJEBO5h/2SFPja6poP/0LJ0999mz0Ds02TfBY7JvLp sA64lhsaEbM8XOdSf+WAu5VYx6NMG4iP+1JXOiAnXS9qFCCAlOf0f1f4pelxZyLj LkmargcVDqy/+nlRQCctvKB9g4RsY0YpA/SFTzDkAVzixkx+XPLWktKfgCNBTyma EYKDKRojEJp0V2Vdiog8r7Yflz6RYyDqpXFWi5J86Wu67xaPNbfobz2yhLSCiTAg uyIbqGlRtxk32yU2lUXS/HG5NpXRyTOv6HN64oJCtBa8V08hB9qHd2vhvADu7zZX /EDSxMPrzTXJeZHOYPU4DJjgwI4ZyziZXTHT//F3/sgtDq1tS4fEpsnjhHLt2wH4 wAgh4CY8/chbGDGm1yf4MOUxBfSr90ZLtlSiM3fpHZpxCY7H/pQGiQkAMZ/1UkFm Y1b8V2sDNWMxYD74raZAMaF4r3f+Yq0TkVvOTicAIeekPP4hehtdsnbPjS5QdxyN NhwYihnAIKtJsXJ8RieqVkIv/OFBcccFBnwGmRm5ywutllONHc3QEttzkABQH2W2 3qQpGa+LGwy+8L1Hey97FNTDwIEzyr6Cyr/aETA5Ghmy37w4mVwINRkI2WuyZZLQ 8XhqYXAA2e++OL2uwVYZ29C8poL8Swf+HndZ9esqX1lD4ZQ10GYcYUo3IWIs4By1 CwZBs1suY10q2cH4Xmxo =4STk -----END PGP SIGNATURE-----