-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=============================================================================
pfSense-SA-17_10.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Arbitrary Code Execution

Category:       pfSense Base System
Module:         webgui
Announced:      2017-12-04
Credits:        Bill Marquette
Affects:        pfSense software version 2.3.x <= 2.3.5, 2.4.x <= 2.4.2
Corrected:      2017-12-01 17:41:56 UTC (pfSense/master, pfSense 2.4)
                2017-12-01 17:43:27 UTC (pfSense/RELENG_2_4_2, pfSense 2.4.2_x)
                2017-12-01 17:44:32 UTC (pfSense/RELENG_2_3, pfSense 2.3.x)
                2017-12-01 17:44:53 UTC (pfSense/RELENG_2_3_5, pfSense 2.3.5_x)

0.   Revision History

v1.0  2017-12-04 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

On pfSense 2.4.x, a command-injection vulnerability exists in
system_camanager.php and system_certmanager.php via cert_get_publickey() from
certs.inc due to its passing user certificate and key input through a shell
command pipe This allows an authenticated WebGUI user with privileges for either
of the affected pages to execute commands in the context of the root user.

A similar issue exists on pfSense 2.3.x in the cert_get_modulus() function from
certs.inc, but it is only used on system_certmanager.php.

III. Impact

A user on version 2.4.2, 2.3.5 or earlier of the pfSense software, granted
limited access to the pfSense software WebGUI including access to
system_camanager.php (2.4.x) or system_certmanager.php (2.3.x, 2.4.x), could
leverage these vulnerabilities to gain increased privileges, read arbitrary
files, execute commands, or perform other alterations.

This is not relevant for admin-level users as there are other deliberate means
by which an administrator could run commands.

IV.  Workaround

The issues can be mitigated by restricting access to the firewall GUI both with
firewall rules and by not allowing untrusted users to have accounts with GUI
access, and by not granting untrusted administrators access to the pages in
question.

V.   Solution

Upgrade to version 2.4.2-p1 or 2.3.5-p1 of the pfSense software, or a later
version. This may be performed in the web interface or from the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     b6dcbd646feb9c7197b4e94a6031b69c2113d679
pfSense/RELENG_2_4_2               552d77500cf2b6ff97c0ef8057c9a6db8031956b
pfSense/RELENG_2_3                 6e316e955350ad69d4f86cb332a1a48bfa028e2e
pfSense/RELENG_2_3_5               d3e0194e49febdd69a274bdc5bf1bf2f4271fbfd
- - -------------------------------------------------------------------------

VII. References

<URL:https://doc.pfsense.org/index.php/Upgrade_Guide>

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-17_10.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJaMq8LAAoJEBO5h/2SFPja5pcQANLNYI/+bB4c5+sJqei4niwV
gmRzBS6+jLMtGcoS2qP7nzQwQkN424K+yje4YJMbv+Wvt/qcq1q50yGfm9JoQ91l
Tqya0IWSlKAVwAuHkxbIXprc64Gkc7sQEPmxIjOHJ+0MZZHK1x65711Ur+zarosT
Uw8Cc5dPhVEx7zN74imF9CQ0MOsOat6ymNeNpvyV0DU3UHmZA7beM1eUyr7xR+hz
5eebeSGVXosOu49XLcYZOLt5rjx0as0x58nQe2Asl99O37i8pS1UiQCl6eLdRFYG
ZOozXFD0+RFOYhOBPZ7VEaasAq9CRfUacv1T+Oi1ccHPyQTodOl75zaydJuRvv9C
2D3oX+eAUMKRLrps3IoUou9bOT2mVLy6HB3T8GsukLEZYdvh9mb8d93lwOk22VDC
/i4Yi+B5iejBkkYvkRbLBJchZPXrAXZDE/3MKlobGJFVMeqIAWbVlTs80IN28HGt
JhK3eZgGFvXt8sfGJa/9Bu0LU3+ll8ppaSIWrv2F8gp1IrfYBpTsVrIApfWhfmDt
VDvaRUqDpP22e9Ngy5IpAVTpqHnP496g67WKKM808pATdWgoeNcslKpVazhGov2r
B+bOH4dhWcp6CC1wcru3G/PcSJJxfccMfASWWDaDfSu9pP756jLgQTk9fTJXCyzk
t+DY9sVKzzRjxAvOt+QJ
=PKtx
-----END PGP SIGNATURE-----