-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= pfSense-SA-14_11.webgui Security Advisory pfSense Topic: Multiple LFI Vulnerabilities in the pfSense WebGUI Category: pfSense Base System Module: webgui Announced: 2014-06-23 Credits: Dejan Lukan, Protean Security Affects: pfSense <= 2.1.3 Corrected: 2014-06-18 16:46:23 UTC (pfsense/master) 2014-06-18 16:46:08 UTC (pfsense/RELENG_2_1, pfSense 2.1.4) CVE Name: CVE-2014-4689, CVE-2014-4690 0. Revision History v1.0 2014-06-23 Initial release. v1.1 2014-07-03 Added CVE reference numbers I. Background pfSense is a free network firewall distribution. pfSense is based on the FreeBSD operating system with a custom kernel and other changes. pfSense includes third-party free software packages for additional functionality. pfSense provides most of the functionality of common commercial firewalls, and much more. pfSense includes a web interface for the configuration of all included components. Knowledge of FreeBSD is not necessary. Unlike similar GNU/Linux- based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. The majority of pfSense users have never installed or used a stock FreeBSD system. Users familiar with commercial firewalls will quickly understand the web interface. Users unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description During a security audit, the following Local File Include (LFI) vulnerabilities were discovered in the pfSense WebGUI: * LFI vulnerability in pkg_edit.php allows including XML files [CVE-2014-4689] * LFI vulnerability via directory traversal in pkg_mgr_install.php [CVE-2014-4690] * LFI vulnerability in system_firmware_restorefullbackup.php [CVE-2014-4690] III. Impact The pkg_edit.php script which facilitates using the XML-based package settings mechanism does not properly validate the location of the user- specified XML file path given in the "xml" parameter. An attacker with access to the pkg_edit.php page can pass an arbitrary file path to any XML file on the firewall, regardless of path, for inclusion, allowing the XML file to be read regardless of permissions. The file must be valid XML in the proper format, files of an arbitrary type cannot be read. The pkg_mgr_install.php script acting in "installedinfo" mode does not properly validate the "pkg" parameter. An attacker with access to the pkg_mgr_install.php page can pass a specially-crafted path to the script allowing for directory traversal and reading of any file on the firewall that has a filename ending with ".info". Files with an arbitrary name cannot be read. The system_firmware_restorefullbackup.php script does not properly validate and sanitize the path given in the "downloadbackup" parameter. An attacker with full access to the firewall's GUI can read arbitrary files by sending a specially crafted string as the "downloadbackup" parameter. Access to system_firmware_restorefullbackup.php on its own is not enough to fully exploit the LFI, the user must have full privileges to all pages. IV. Workaround No workaround is available. Upgrade to pfSense 2.1.4 or later which includes fixes for these issues. The issues may be mitigated by restricting access to the firewall GUI both with firewall rules and by not allowing untrusted users to have accounts with GUI access. Given that full access to all pages is required to exploit the flaw in system_firmware_restorefullbackup.php, restrict admin access in the GUI to only the pages required for specific tasks to be performed by other firewall users. V. Solution Upgrade to pfSense 2.1.4 upon its release. This may be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master 69eb2e295fbbea1ff16d4b20e7e056b70469aad4 bef9f697b5158b8a25b9b8019228ad1dbddb1530 7145cd87d1f6c67c900f6966df5f2d0ace50e109 5de32d520bc7eee5ef400951130eef8a5cec9a2f pfSense/RELENG_2_1 9ddd3418dad5648d4435a45c14d085048ad51a9f 811baa9bf50571bac372ddea0df5771fe1167d7b 1cfe54900afbf48a59e672e73b78746ce2731750 62480a449efcbce74a48fbe7064193acd0290650 - - ------------------------------------------------------------------------- VII. References None. The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTtWtxAAoJEBO5h/2SFPjasagP/0aA60IwLuhIQc08sjXV0+Wa auVN1gUkW9Ato3/nmVY6HNpKpiCn54s00jS1AX86ipn7/SuqYcigmp0mkzOeWSCp sgEkkBDcQNnixMzYFwty8CdQVlVnZ91ctzId8YA8Tng09Ps9ndMFatoR897lMPJ+ iiIBikEUwEl70BTrjHAoU3QyndxtzpM7eGMrEwviCXA3ts7rlX5l7Ao9REKOuHcz mWWI+F5GFGvSwaMZRmVmMheICuF38F9XYSKSzCNktSyJ87fSCtyCtgqEeySiO+IH A9y/as0HRDuEEq8X5DE2TAMmmMxRcm/Df8EwcuiRrXE9sc62t/B4PfhaDJtt/Oge W2ID+WSTATfU2wReiJ7p/hiPUQpduI5wHM9JOMAAOdjLlek4ytFPxM+2lFTv2pne 2H+1+ykGrT/LGXJkHZKy8G6tzNHemV6GlVCv89P+iSmFd6GaoL/lWRZLkoL+IMYv qgTYrP7c3j1bSTMet8NloxauRbIEz9yAJJtxVmOimoMm8K9HCzvQL4Mhx3LPb/2R KByduHDwriBr7jDchsGbfp1muJzNaNEBU0co4vV00yjaCDsG+bd8CRMzM7WovRbt NTWZH5r65d3FNmXHvRAjEJZPow7zTcVz60DnM8Jm457QpUDHHvyrvL6W3kukK5hC YSyZSdIHEyspoR8j+Zm7 =Jowc -----END PGP SIGNATURE-----