-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= pfSense-SA-14_13.packages Security Advisory pfSense Topic: Multiple Vulnerabilities in the Snort and Suricata packages Category: pfSense Packages Module: webgui Announced: 2014-06-23 Credits: Dejan Lukan, Protean Security Affects: Snort package version <= 3.0.12 Suricata package version <= 1.0.5 Corrected: 2014-06-21 14:15:51 UTC (pfsense-packages/master) CVE Name: CVE-2014-4693, CVE-2014-4695 (Snort package) CVE-2014-4694, CVE-2014-4696 (Suricata package) 0. Revision History v1.0 2014-06-23 Initial release. v1.1 2014-07-03 Added CVE reference numbers I. Background pfSense is a free network firewall distribution. pfSense is based on the FreeBSD operating system with a custom kernel and other changes. pfSense includes third-party free software packages for additional functionality. pfSense provides most of the functionality of common commercial firewalls, and much more. pfSense includes a web interface for the configuration of all included components. Knowledge of FreeBSD is not necessary. Unlike similar GNU/Linux- based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. The majority of pfSense users have never installed or used a stock FreeBSD system. Users familiar with commercial firewalls will quickly understand the web interface. Users unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description During a security audit, multiple vulnerabilities were discovered in the pfSense packages for Snort and Suricata. These include Cross-site scripting (XSS) redirection issues. The issues are: * XSS vulnerability in snort_import_aliases.php [CVE-2014-4693] * XSS vulnerability in snort_select_alias.php [CVE-2014-4693] and suricata_select_alias.php [CVE-2014-4694] * URL Redirection to Untrusted Site in snort_rules_flowbits.php [CVE-2014-4695] and suricata_rules_flowbits.php [CVE-2014-4696] * Error and URL Redirection to Untrusted Site in snort_select_alias.php [CVE-2014-4695] and suricata_select_alias.php [CVE-2014-4696] III. Impact Systems which have the optional Snort or Suricata packages installed are at risk. These packages are not installed by default, but may be installed manually by the end user. The "eng" parameter passed to snort_import_aliases.php is not properly validated or sanitized. Due to the lack of proper encoding, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session can be compromised. Multiple variables on the snort_select_alias.php and suricata_select_alias.php scripts were not properly validate or sanitized. Due to the lack of proper encoding, arbitrary JavaScript can be executed in the user's browser. The user's session cookie or other information from the session can be compromised. The "referer" parameter passed to snort_rules_flowbits.php or suricata_rules_flowbits.php is not properly sanitized. When using the "Cancel" action on the page, an arbitrary "referer" URL can be passed during the POST action that will redirect the user to the supplied page. The administrator would be redirected to a potentially untrustworthy site. The "returl" parameter passed to snort_select_alias.php or suricata_select_alias.php is not properly sanitized. Using a specially-crafted query, an attacker can pass an arbitrary URL to the script, redirecting the user to the supplied page. The administrator would be redirected to a potentially untrustworthy site. IV. Workaround Update or uninstall the affected packages. The risk of such attacks being triggered remotely may be lowered by not using the same browser session for firewall management and general web browsing. V. Solution Upgrade the affected packages to a version after the issues were corrected. Snort package version 3.0.13, or Suricata package version 1.0.6 VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense-packages/master 6048cbcf1b2e2029250f9eb5fe166627c89398fd 35b75b9b94a3f63c358c34fe98ee5ad7f7004a62 2eb1127c38349c26687604ebff93e1277df4d093 79de69da2668af481a1d11b8ec6e2a6c340190cc - - ------------------------------------------------------------------------- VII. References None. The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJTtWtzAAoJEBO5h/2SFPja93QP+QHHDB/E/Xom7q2TLi8i1kiO N9/E9SHN0vLVNfBurKzpmPUqye+Ht0UjTO+i3i7dM8cbRIGXkpwNMDTDk00o0jtq 1F01vBTYZXYGbhWOuO5KhDyXiG+8mYVaQYnftAWMCgqpa2QZflQnxwGpLdbN+90y eb85st3gGbzXeiW1Rhi1PHO27CrbCfS0uryiZs48T06L5gtTKpcZC5U0bboHI1sm GCzUTctAKALRDkkN7aUKq6tPkKd9Pzz4tLpthOZ2RvuPwYwtIiP/kBj8gvYaQvZS eqjS5hDvyFrfSht6HfGJgEipxggf8XziRWQ/uF/WroA26V+wsIHWQkeV89/vVNch DZbIFlO9BA1Z6oAS+z7YBK0A0BHp17uhsmdAvLvupbi/UsPp2b0TYYo1BwUloHf6 z2xr2fGznN2tYAeI6CB1ZnmjD3edoryKJSPW2B+6H4+V61OvWms8IAK9gT/DZ4g4 Slm/uYZ9NFd/NLsINcwTkHoCs+dz8G3+43xrJQFHfw3lDFRzNh6I40+Iv2mOpnRH nFz4OKUTeZnmPU0MDSeskFznyUIKRb0Tog1c1qA0GtnWwRJbIEbi6iaFAKEuhR3O 5b79BlL2WDTcxACKZgR0lErxOpVBVA7i/kFSmrK3HzhHeoAVHw4xybyDJodwCS4c cLFAm4KT+8MOESURdVY3 =l5vT -----END PGP SIGNATURE-----