-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
pfSense-SA-16_08.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Arbitrary Code Execution

Category:       pfSense Base System
Module:         webgui
Announced:      2016-06-09
Credits:        Scott White (s4squatch) - TrustedSec www.trustedsec.com
Affects:        pfSense <= 2.3.1_1
Corrected:      2016-06-09 20:08:22 UTC (pfSense/master, pfSense 2.4)
                2016-06-09 20:05:40 UTC (pfSense/RELENG_2_3, pfSense 2.3.x)
                2016-06-09 20:06:33 UTC (pfSense/RELENG_2_3_1, pfSense 2.3.1_x)

0.   Revision History

v1.0  2016-06-09 Initial release

I.   Background

The pfSense® system is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense system includes third-party free software
packages for additional functionality, and provides most of the functionality
of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A command-injection vulnerability exists in auth.inc via system_groupmanager.php
using the 'members' parameter. This allows an authenticated WebGUI user with
privileges for system_groupmanager.php to execute commands in the context of the
root user.

III. Impact

A user on pfSense version 2.3.1_1 or earlier, granted limited access to the
pfSense web configurator GUI including access to system_groupmanager.php could
leverage these vulnerabilities to gain increased privileges, read other files,
execute commands, or perform other alterations.

Note users with access to the group manager almost always have full admin rights,
and can grant themselves such rights if they do not already have them.

This is not relevant for admin-level users as there are other deliberate means
by which an administrator could run commands.

IV.  Workaround

The issues can be mitigated by restricting access to the firewall GUI both with
firewall rules and by not allowing untrusted users to have accounts with GUI
access, and by not granting untrusted administrators access to the pages in
question.

V.   Solution

Upgrade to pfSense 2.3.1_5. This may be performed in the web interface or from
the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     5bef24071ac954b903f5bfb3e34590c485baf68e
                                   e63321a5e9dd0d0224a8ebd7626b65a63fa153bf
                                   0a39f78f5b900abfd00d71072f77d7862a41027b
                                   4bf17edc2f5f44f5fe1ac53494bc7a2d6effaff7
pfSense/RELENG_2_3                 9630ba1faf3945097756f090ee8224edaef0e768
                                   b2267ff9d2f1df9dbe1603276c7c67b1ec7ee324
                                   1929acf18ff249f76ef00d2bfacd772397d01634
pfSense/RELENG_2_3_1               2095e91fa7985da8f86df4a9e6d8f58cc1088487
                                   6314397f65d1620228599591942054c3704149d6
                                   34bc249ff83cac9df8d7f515a52cc67b04dc38fe
- - -------------------------------------------------------------------------

VII. References

<URL:https://doc.pfsense.org/index.php/Upgrade_Guide>

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-16_08.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJXYyj5AAoJEBO5h/2SFPjaF9MP/ROTOVMC1OxVtOWO7qss4U22
PnKngx4mgJLNE9SlWJ9uUXT1dE7Rzfuv1u3NFVCI+nPZjtGZqs6MTHpjR0YODsxZ
F/svpwBRRYvNZagbmeFPEZ63R5oKSWc9sy4oBjSy+hbyOVrsKT32WwBQMqgFntWp
1dbv6VhWa0et21DfTsg35s7p5QhXUOTxo+NAuSogoUNbMPYTC3jknrIZ7szNfjim
IIJHbehfn7QYt/DMNnV3MdY9DJCdkmX5/go+8btBOxuZyKQMJbbghWwV2M0VIHct
S38OrqRArH1hPqApnAv9bNmstTsgzMYgm0eXjWn7566yuxZqNtmUaofOVRqdCFF3
QwjeBotsAY4Td5ihrIxEfPFf35AeHinE2helNZx13Ft8UsA+nm7KwfsINajhcVzh
UpJxhr17fBMpIoai1F7xP9c2HxgENfSxFlXNvacP97qRZ//aVt9m+wpw5M00lR4C
xtEwaC+vUHNC3F4kSXEcqOjNv94NKaVvMj5ieUisTpRtofU1Ij8oV7H5Vz+lUs0y
+Yq0kzNvLw1TzT7z2U2+JTjDXsHC6SiE1JxYt7o7JXN+lxKNPCe3kBLmXczL3MBR
9R0etf11qkGYzwLbtgBJ/e9jLzzGqzRzr3iu8MmSkG6kOS/nRHRFjFiMBi52panW
byeRl/w5/SZinv1lp6k8
=/+rd
-----END PGP SIGNATURE-----