-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= pfSense-SA-14_12.webgui Security Advisory pfSense Topic: Multiple Session Management issues in the pfSense WebGUI Category: pfSense Base System Module: webgui Announced: 2014-06-23 Credits: Dejan Lukan, Protean Security Affects: pfSense <= 2.1.3 Corrected: 2014-06-18 10:38:12 UTC (pfsense/master) 2014-06-18 10:38:12 UTC (pfsense/RELENG_2_1, pfSense 2.1.4) CVE Name: CVE-2014-4691, CVE-2014-4692 0. Revision History v1.0 2014-06-23 Initial release. v1.1 2014-07-03 Added CVE reference numbers I. Background pfSense is a free network firewall distribution. pfSense is based on the FreeBSD operating system with a custom kernel and other changes. pfSense includes third-party free software packages for additional functionality. pfSense provides most of the functionality of common commercial firewalls, and much more. pfSense includes a web interface for the configuration of all included components. Knowledge of FreeBSD is not necessary. Unlike similar GNU/Linux- based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. The majority of pfSense users have never installed or used a stock FreeBSD system. Users familiar with commercial firewalls will quickly understand the web interface. Users unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description During a security audit, the following issues with pfSense session management were discovered in the pfSense WebGUI: * The session ID is not properly reset when initializing a new login session. [CVE-2014-4691] * The session cookie set at login does not have the HttpOnly flag set when the firewall's GUI is configured to use HTTP. [CVE-2014-4692] III. Impact Due to the session ID not being properly reset when initializing a new login session, an attacker can dupe an administrator into loading a specially- crafted page to spoof the firewall login cookie, setting the administrator's cookie to an arbitrary value. If the administrator then logged into the firewall with the compromised cookie in place the attacker would know the value of the session ID, allowing the session to be hijacked. By not setting the HttpOnly flag, if the firewall administrator deliberately configures the firewall GUI to use HTTP rather than the default of HTTPS for the GUI protocol, the login cookie can be compromised by client-side JavaScript. Combined with other techniques such as XSS, this can lead to a compromised login session. The cookie does properly contain the HttpOnly flag when the GUI is set to use HTTPS. IV. Workaround No workaround is available. Upgrade to pfSense 2.1.4 or later which includes fixes for these issues. The issues may be mitigated by restricting access to the firewall GUI both with firewall rules and by not allowing untrusted users to have accounts with GUI access. To mitigate the HttpOnly issue, use HTTPS for the firewall's management GUI. The risk of such attacks being triggered remotely may also be lowered by not using the same browser session for firewall management and general web browsing. V. Solution Upgrade to pfSense 2.1.4 upon its release. This may be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master 8588095f85372ad9595d785de9e058d9f1e05748 16789caa901f2415da67b10ba6da9eb19e870de8 pfSense/RELENG_2_1 ff9b30ec40be6d3edb08953083a4c69ec7e73e71 fa73c7cd8bccadca9970d03f534d4546b06d3adf - - ------------------------------------------------------------------------- VII. References None. The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTtWtyAAoJEBO5h/2SFPjaOukQAIVAGQAjEFb8ChLFi1Wo3XFv D+BBNb9OHtSKQfbfGASVv+JM8jlh3spLuUfEujMClbVGOAPfnNmQooNWLETE1JXs dsLV2Dxa7H3/rIozzpBgy6zkXkmg/5EXwfO1p/ASm+A2G5tAPDeDby48mNKQ9Stj PZ8wEGCMjdAeOswLxZaa19JJDn8ZekBZKV18uxt+ELRRYKAEE4h1rpOPZCIZ1gP/ ZyNbXb9+tp8/k+PTA0HahbSCcwli6PN9vzBlRqCTFWSC2z0sI/HUuDDm4uiajLcf X0r1j/KpyYAcb+tKAHEMgdUiYnBYtyszQqgfPDb3jBp2hjkh+q7MHOqy+5bXalwj 4pb7LHkVsqD+VSRMO+H7UApyuyN4gQXxTEySgXh96KGNuNEMpNoxJyioyHl0t5+x Etf89Le4BgwVXoEml86+y/AWMiSQtQTRJl+AVR7na35cqxVcheFhgkKUe+xMJiL3 0pyas1Haup2RmNAP276yMo852XyXAhwDE4TD9LmVOLFraJYECspbxuIducFuzrm2 oyxo7G4b2AMbGKGFlG865rOVOzLjwQDdM45yIhfJ+nQEJBiP95GZhYHmm/ZmOPI3 3L3vXjHmsv3cwSktafR8otdkiXexa9nQwf2gqbhsukVUviw/zHRlqmgj5fzm2SA7 XD3m0mLG7tYS0FT95Ztb =9IKh -----END PGP SIGNATURE-----