-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= pfSense-SA-16_01.webgui Security Advisory pfSense Topic: Arbitrary Code Execution Category: pfSense Base System Module: webgui Announced: 2016-04-01 Credits: Francesco Oddo - Security-Assessment.com Affects: pfSense < 2.3 Corrected: 2016-02-10 17:19:43 UTC (pfsense/master, pfSense 2.3) 2016-02-10 17:09:57 UTC (pfsense/RELENG_2_2, pfSense 2.2.x) 0. Revision History v1.0 2016-04-01 Initial release I. Background The pfSense® system is a free network firewall distribution based on the FreeBSD operating system. The pfSense system includes third-party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A command-injection vulnerability exists in status_rrd_graph_img.php. This allows authenticated WebGUI users with privileges for status_rrd_graph_img.php to execute commands in the context of the root user. III. Impact A user on pfSense version 2.2.6 or earlier, granted limited access to the pfSense web configurator GUI including access to status_rrd_graph_img.php via the "WebCfg - Status: RRD Graphs page" permission, could leverage this vulnerability to gain increased privileges, read other files, execute commands, or perform other alterations. This is not relevant for admin-level users as there are other deliberate means by which an administrator could run commands. pfSense 2.3 is unaffected as the file in question was made obsolete between the time of the original fix and the release of pfSense 2.3. IV. Workaround The issues can be mitigated by restricting access to the firewall GUI both with firewall rules and by not allowing untrusted users to have accounts with GUI access, and by not granting untrusted administrators access to the page in question. V. Solution Upgrade to pfSense 2.3. This may be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master 7cd2add4de7b85f64033722a055d72f379e487ca pfSense/RELENG_2_2 6a109e3eafe6849d7907d59a3395329aaf5c12c9 - - ------------------------------------------------------------------------- VII. References None. The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJXC+VUAAoJEBO5h/2SFPja4VoP/2LUJSiLCq3x0+osYlKKqcNK uSrgs0f5NEXLbrJSHU/MUKdJU7NwoeHnZiGmWHdLGtrScxVD1ghYuRr13rBHIiMw 9VSABqkoo26TdCLPcnZHaG69pkogiKq7Hy1JdfAuE3TFSGfgtHS8XoE1FiQAOwAF YWj/ioLm8Q2jTN8Cl7yK/3aEJwXwUp0LonKQIkC4czVA72P6jOYxIa7klJmd/1sD 9QIp4dRUP0sX6OkuISjt6lHm1RHL0dV+4zrc7vd9xyQDFxce7i5DwFY4L2byJqUW y495iziP3L7qUk1HpQtryoLqH2DzF6Wj7CSTPICSUkadSUU257NvIf2q+/R5LwYu HmhCez37XFoo+p0S1o4YJq7zq2EkaN2KNu70VSvW1f+NAiPPM7B3JrjYvu8HzSjF Waa2FmnIfQ0qjVuNMWAaWSpF5nuQ8AbVi93212rhwHdOfJwFERDFSi4wt95Ei+VG AGce59cKh2ZPOKY0G8P/j1dMseDCR/G7mER1oMeLuUyu8UrPXk4xxM7Jh6n8OqV1 w34sTISMHkVM1HD8v6MYONJqtVaueX5nTUb41taxe+Mmz0pf7363DMvMqCwyWKrl qAKxP5nILzfkmAt4uNaVF2jDxRdr8iaXm+dqZmid8AyRfYX5IPrrEwCmZh00fuQc Uc0Pp84rIfx14k8pXwSD =uzK1 -----END PGP SIGNATURE-----