-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ============================================================================= pfSense-SA-17_02.webgui Security Advisory pfSense Topic: Arbitrary Code Execution Category: pfSense Base System Module: webgui Announced: 2017-02-10 Credits: Tim Coen - Curesec GmbH Affects: pfSense software version <= 2.3.2_1 Corrected: 2017-02-07 19:30:04 UTC (pfSense/master, pfSense 2.4) 2017-02-07 19:31:11 UTC (pfSense/RELENG_2_3, pfSense 2.3.x) 2017-02-07 19:31:14 UTC (pfSense/RELENG_2_3_2, pfSense 2.3.2_x) 0. Revision History v1.0 2017-02-10 Initial release I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A command-injection vulnerability exists in wizard.php via update_config_field() due to its passing user input through eval(), especially in its handling of interfaces_selection type fields. This allows an authenticated WebGUI user with privileges for wizard.php to execute commands in the context of the root user. III. Impact A user on version 2.3.2_1 or earlier of the pfSense software, granted limited access to the pfSense software WebGUI including access to wizard.php, could leverage these vulnerabilities to gain increased privileges, read other files, execute commands, or perform other alterations. This is not relevant for admin-level users as there are other deliberate means by which an administrator could run commands. IV. Workaround The issues can be mitigated by restricting access to the firewall GUI both with firewall rules and by not allowing untrusted users to have accounts with GUI access, and by not granting untrusted administrators access to the pages in question. V. Solution Upgrade to version 2.3.3 of the pfSense software, or a later version. This may be performed in the web interface or from the console. See https://doc.pfsense.org/index.php/Upgrade_Guide VI. Correction details The following list contains the correction revision numbers for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master 5baea4da88fd6c093582d9c3e9b67cce5d6a1013 pfSense/RELENG_2_3 2c5c799a646a014a7729bb834d0f8a92df0f77d0 pfSense/RELENG_2_3_2 d3da9c7d2a40d1550fa3f919d5d067f1daaf95f4 - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJYneCoAAoJEBO5h/2SFPjak3cP/0E507qdpRdmMeGZxSEqYoMx gB3DKaD7MCWvPcNzofeq3HG95YfXiIQMnao4upgQ7uu0dH0YTV+PdZ6GagPkfc/g 369htxNb499/4Jfx4Em61AWlIArXmNUVPV91NY0SuEhHdNgjPOodgD4xM3ByOehn sYZzbQ2fKwGXYo4M2Eo6vY3nJWNRoIn36yrUxcGRN3zY18x3uexsY85DaOyOSXNw B9agzbc/fcUfEELWFPXUohYOKo/MeEAmpPAoKpIhSM9wvncNaPOk3FAeLhQpK3fE vF05iiDnZ/fyXXLZ/EOPKknTO0MAsayhbIcSCRwFLLSFIT/oloNUmDH6CAS7S1D7 Y2z5Nhu6FRnsXVQnW0Zhpb6ylLSVlSGhY7o6LVnrNsxLJbwxD7Lf5BlYJJCNXq/e Vgm3z0fFx5yc2lVqHaiaNLofzFPcx4pbU92o/WzML7/lXY1+/ipoFAZZj4Rbyfnv kJPCMTAgwhT+CSJ+IBSolhgcNVavIfje+Po98+lRT4q+Tk76a+/ONdc3++JeCGlr l6DUHhK7MrZX93Z5WTVx/2/vqMfK5i4PiEaYc4PaXb29TzwONPMLDByp+aa7VsHb pXRDqAg5xfCnD3onrpLqfLgTZmLvlTFcLoWmZx2Q+/IZuCAikcCdZxHte+EQ0Be9 TnVM67KOhHW/Lk1+euUn =lKJc -----END PGP SIGNATURE-----