-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
pfSense-SA-14_10.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Multiple Command Injection Vulnerabilities in the
                pfSense WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2014-06-23
Credits:        Dejan Lukan, Protean Security
Affects:        pfSense <= 2.1.3
Corrected:      2014-06-19 16:04:57 UTC (pfsense/master)
                2014-06-19 16:04:57 UTC (pfsense/RELENG_2_1, pfSense 2.1.4)
CVE Name:       CVE-2014-4688

0.   Revision History

v1.0  2014-06-23 Initial release.
v1.1  2014-07-03 Added CVE reference numbers

I.   Background

pfSense is a free network firewall distribution.  pfSense is based on the
FreeBSD operating system with a custom kernel and other changes. pfSense
includes third-party free software packages for additional functionality.
pfSense provides most of the functionality of common commercial firewalls, and
much more.

pfSense includes a web interface for the configuration of all included
components. Knowledge of FreeBSD is not necessary. Unlike similar GNU/Linux-
based firewall distributions, there is no need for any UNIX knowledge.  The
command line is never used, and there is no need to ever manually edit any
rule sets.

The majority of pfSense users have never installed or used a stock FreeBSD
system. Users familiar with commercial firewalls will quickly understand the
web interface. Users unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

Multiple Command Injection vulnerabilities were discovered in the
pfSense WebGUI during a security audit.

* Command Injection in diag_dns.php [CVE-2014-4688]
* Command Injection in diag_smart.php [CVE-2014-4688]
* Command Injection in status_rrd_graph_img.php [CVE-2014-4688]

III. Impact

A user granted limited access to the pfSense web GUI including access to
affected pages can leverage these vulnerabilies to gain increased
privileges, read arbitrary files, execute commands, or perform other
alterations.

The host value passed via POST on diag_dns.php during the "Create Alias"
action is not properly validated or sanitized. A specially-crafted string
sent as the "hostname" value can trigger the vulnerability.

An unused "update e-mail" function is still active on the diag_smart.php
page and its variables are not properly validated or sanitized. A specially
crafted string sent as the "smartmonemail" value can trigger the
vulnerability.

The database value passed to status_rrd_graph_img.php is not properly
validated or sanitized. A specially crafted string sent as the "database"
value can trigger the vulnerability.

IV.  Workaround

No workaround is available. Upgrade to pfSense 2.1.4 or later which includes
fixes for these issues.

The issues may be mitigated by restricting access to the firewall GUI both
with firewall rules and by not allowing untrusted users to have accounts
with GUI access. Restrict GUI users such that they do not have access to
these pages.

The risk of such attacks being triggered remotely may also be lowered by not
using the same browser session for firewall management and general web
browsing.

V.   Solution

Upgrade to pfSense 2.1.4 upon its release. This may be performed in the
web interface or from the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     76c4ff0ecf269272aad3a6f06942596d2f0ab9ff
                                   45438fd3fd14a76491f633bf9d34bc239cabb876
                                   d09ff9ef322608ea8c496121faccd3d778e71e25
                                   57627d9f3152f6ea984d3cdff71fa6e888784701
                                   902da388054922274bac36701d0b3ffa09847602
pfSense/RELENG_2_1                 ee4ba9fba1f9d49396f3a4882a3239a83c5036d6
                                   e41ab9aa320b4e64a8b99271bb7d3d094da59d56
                                   aa27de6e78ae42d268bd4a53fd0bbe755425e561
                                   2d1e985d2bea59ef4d9712f770474c1d9750f593
                                   4f380b62d55185dbbd2efc19a3b03015bdda5a18
- - -------------------------------------------------------------------------

VII. References

None.

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-14_10.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJTtWtwAAoJEBO5h/2SFPjaPtwQAOGzRjESfQ6VxWF9CoWBz+06
DgQDPajayBHlfdFJmoOxoykjAEVtC1UOUSL/OS784PBAxdYQolzvJSsrVn7VGmaa
S9lftXaSLCqPLRUxSmPHIEho+iiwnouQUTow6QxwJY51H11CKGtFiKKKeIVTyU5W
1+0vdr3x8Gwse99Ao7l8wHLg0yOrYaFOFNIAdxVbcgFaS0Kcz13TdvkyfGJJR+QN
uOew6u7cwmpKyBP4o1o1Oi7WQKOkFwhNHMAfKoMNX7ueKt5HN+DN8PIX6Faa8obo
ib+2lo2e9OKdAWUd8InhpJ8aRjseXZLphW3af5vozdV+AdfvMaHWTp/SSL16kL7G
AlFEBE5PwqBXrz2ZifaoYMUjgyEhS6Me+m5u3/RfkW7M2i1x0zNWL6eEc5q/FYKY
DEihITPU95ND5qrN4irunSM3GHYRrMi+ZfTEdldDLIuTHzLbBN2IJMKJ6Ml6Ahz9
ujydR7IlP41R7bjHm8uJEWPP3I4ZTiJq+iGfiv+MTNe/8PSS6cEigZPTuO41Czrl
cfx98bJC8n2qN/JXrTNFnPrPrVdkjnFJdNXlBB21AF8Wkn0nAx79WbXSgjs2GmGV
gRnRPf5Q/EsMGcT/NwJQQUt708w2cb8A1C6N7BVi5h/Fu7hh9LU95c4je0usOJK9
dn/SDv1yTvk+SZs705Mk
=O/ti
-----END PGP SIGNATURE-----