-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
pfSense-SA-14_17.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Multiple Cross-Site Request Forgery protection bypass
                vulnerabilities in the pfSense WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2014-08-08
Credits:        Stefan Horlacher, Arcus Security GmbH
Affects:        pfSense <= 2.1.4
Corrected:      2014-08-08 15:33:44 UTC (pfsense/master)
                2014-08-08 15:22:40 UTC (pfsense/RELENG_2_1, pfSense 2.1.5)
CVE Name:       CVE-2014-6307

0.   Revision History

v1.0  2014-08-08 Initial release.
v1.1  2015-06-01 Added CVE ID.

I.   Background

pfSense is a free network firewall distribution.  pfSense is based on the
FreeBSD operating system with a custom kernel and other changes. pfSense
includes third-party free software packages for additional functionality.
pfSense provides most of the functionality of common commercial firewalls,
and much more.

pfSense includes a web interface for the configuration of all included
components. Knowledge of FreeBSD is not necessary. Unlike similar GNU/Linux-
based firewall distributions, there is no need for any UNIX knowledge.  The
command line is never used, and there is no need to ever manually edit any
rule sets.

The majority of pfSense users have never installed or used a stock FreeBSD
system. Users familiar with commercial firewalls will quickly understand the
web interface. Users unfamiliar with commercial-grade firewalls may
encounter a short learning curve.

II.  Problem Description

Multiple Cross-Site Request Forgery protection bypass vulnerabilities were
discovered in the pfSense WebGUI during a security audit.

* DNS queries and alias creation are executed with a GET request that lacks
  CSRF protection on diag_dns.php
* Configuration restore and deletion actions on diag_confbak.php are
  executed with a GET request that lacks CSRF protection.

III. Impact

Due to the lack of CSRF validation on the affected actions and pages, a CSRF
attack could executed in the user's browser to trigger an unwanted action.

Loading the diag_dns.php page with the "host" parameter defined performs a
DNS request via GET request. This may cause unintended network activity, a
DNS host lookup of the supplied name.

When a site returns multiple hosts in a DNS result on diag_dns.php, a
feature is activated that allows the creation of a firewall alias from the
result. This alias is created by following a GET link that does not have any
CSRF protection. A CSRF attack could lead to the creation of this alias
unintentionally.

When selecting a configuration to restore or delete from diag_confbak.php
the request was handled via GET and was not protected against CSRF. An
attacker could cause the user to follow a link which would restore an older
firewall configuration or delete an older configuration backup
unintentionally.

IV.  Workaround

No workaround is available. Upgrade to pfSense 2.1.5 or later which includes
fixes for these issues.

The risk of such attacks being triggered remotely may be lowered by not
using the same browser session for firewall management and general web
browsing.

V.   Solution

Upgrade to pfSense 2.1.5 upon its release. This may be performed in the
web interface or from the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     ed2a6e89df4dc9199072e98bb3e7439d4b398251
                                   b6513591da72694fd7b76db0b09c0b52ebddfd52
pfSense/RELENG_2_1                 a9d6ac9aac9d3ba6d4e9bc0a92b0f813b2e0e7e7
                                   8108b4235b35dc1e21951d5754e6ea4f190e079f
                                   889c83d7f1ad87c5b89e1ed9ef73be7c47cc90f2
- - -------------------------------------------------------------------------

VII. References

None.

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-14_17.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVbGrqAAoJEBO5h/2SFPjaqQYQAN0cG9oArXOLGqJhpYolhAuc
M4qUHk0cvgPMc0IBxf2Dou9yXqWFamcOSn7HJuyoemKwK9sTJsg66tIT6+Oj/3m3
MjJpb7/+kbGlq1WZan9ymn8qAVes28lK4xYQf6eJpJxQJ5e8Foca2OiAyNBFJzhd
OKz517HjgDcm6PIRddj2j942dgcpLNtKOyI6Xl5RVnJTVnTvD61Wvhxm6jjoIjF8
pGhN1jIBU3s/kKpf0H4yim9qUi3//dNIaxpsIVZIGxNENYT/d0cAQCNj7wvI/h3M
944vW4ZaG2/8PPGw7wAWIg9/g/2N+FxxJnFoQMtC8gppTxpj9XDTnKVzFKXZ+HIv
rZZu8rJ96W0XqEqaFJeaPRr5pJfc5gBNxTepEUgU53LE4ap7jlxM44gbVLIM9OXP
WJ5bd+qpVXsbbojuQv2lD2xWNXilG3HxVAGqmKW6Q6w6Oed0fb1+6l0dRKlQu2J3
N86i7YO0UQLf91hCJ1ngrz5nR+rI1lamcsRT3LGC3azpcf4ozkCqaIENYT8cp+Ql
Fp4Acv7E2jIu/XClIv9WttVKkiPj3fyoq4EWfS7xclz1icIbglQxH5z2SFU8qb6a
yA797Jv7TbU8mxXLuZ5NJrbQzXBrmBDWa4t4AXIFA3Cnf2p2G4nryL7rJyL6uS/9
sY9h9p58nO7bdo81Qtp8
=9IAl
-----END PGP SIGNATURE-----