-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= pfSense-SA-14_18.packages Security Advisory pfSense Topic: Bash "Shell Shock" Vulnerability in pfSense Packages Category: pfSense Packages Module: binaries Announced: 2014-09-26 Credits: See CVE for details. Affects: FreeRADIUS2 package version < 1.6.8 Mailscanner package version < 0.2.8 FreeSWITCH-dev <= 0.9.7.26 Corrected: 2014-09-26 13:03:41 UTC (pfsense-packages/master) CVE Name: CVE-2014-6271, CVE-2014-7169 (aka CVE-2014-3659[1]) 0. Revision History v1.0 2014-09-26 Initial release. I. Background pfSense is a free network firewall distribution. pfSense is based on the FreeBSD operating system with a custom kernel and other changes. pfSense includes third-party free software packages for additional functionality. pfSense provides most of the functionality of common commercial firewalls, and much more. pfSense includes a web interface for the configuration of all included components. Knowledge of FreeBSD is not necessary. Unlike similar GNU/Linux- based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. The majority of pfSense users have never installed or used a stock FreeBSD system. Users familiar with commercial firewalls will quickly understand the web interface. Users unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description Some packages include versions of BASH vulnerable to CVE-2014-6271 and CVE-2014-7169, also known as "Shell Shock". - From the CVE description[2][3]: [A vulnerable version of bash] processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution III. Impact Only systems with optional packages installed which include vulnerable versions of bash (FreeRADIUS2, FreeSWITCH-dev, mailscanner) are at risk. These packages are not installed on the base system by default, but may be installed manually by the end user. The FreeRADIUS2 package is only impacted if the user has activated Mobile- One-Time-Password support. Furthermore, the user would have to manually configure some other mechanism by which the vulnerability could be triggered using bash in combination with one of those packages. IV. Workaround Update or uninstall the affected packages. The FreeSWITCH and FreeSWITCH-dev packages were not actively maintained and the FreeSWITCH port is no longer available in the FreeBSD ports tree. This package was removed from our package repository, and if it was in use it should be uninstalled permanently. V. Solution Upgrade the affected packages to a version after the issues were corrected. VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense-packages/master 783721d42370b30de032d1a886506b69cf68f606 770bae54ed3453f2ed1b0039211deb177d9f7e0c 79522144ea76fd62af6ee17246913eef88be30b7 - - ------------------------------------------------------------------------- VII. References 1: http://seclists.org/oss-sec/2014/q3/688 2: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 3: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUJcATAAoJEBO5h/2SFPja7vAP/2QOPwKcRfAel2NYGCPRQECs aUGTF+da7HUfAJK6eOga5sXhETuSvLtHUi2g95PM4p8w3KM/tohXtG1vPa0LGedv 6yyd/ZgHmJtOYMWQTpF2ce8nKs74At2ieQ214JspoNUKnikGEMgUPJaYdZZHnqEu /u0PKzLUyy587mq879rBPJTTGtljsO22RPp6qVZ1EUT+pCdMMtFycUSfhhxkOM+a TgBDeoZYXLp7FnRdnnYLfH9mlFFceLO4/UU0alpR7JtSwpdLk6v+POq1DdmBSjxN xmHU6Ak9n+NQg3KOL7/JDwR/ovxEHUZ+czDOAHp4gNHEXUutX9IKoyIDLDOFmrH0 Ymt4S8HNcrTQygbG9lqzeq69IWYBIr1DQ1QV+qxFkbMLQNcXWUvHahWJHvjFaF24 b/WV1v/QvX+P4FkvFcR2E6kNqxX/evCN/1/MXu2SHzrHlhj27osgDsozhJj5RA+v IhVIHrf104A84Q9Sirp27zIBnoMsIIQzyPs28AJXPlXPPoHXWP8rKErfhoY29YQ+ zuPzZ+4OA0fkCvEndcKXj6jgdGLz7cFVO0C6hpDbtkHBuexasZguI81idRb/zj0j EyabEv8KT1IOWgEOqwpMriLBlrqoZhLpKYXuiw83qJJVTG7LzQfGhSEeGLuE2OJF 5cnjI5tThwC46rhok5rv =58yA -----END PGP SIGNATURE-----