-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
pfSense-SA-18_08.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Authenticated Arbitrary Code Execution

Category:       pfSense Base System
Module:         webgui
Announced:      2018-08-28
Credits:        Reginald Dodd - https://www.linkedin.com/in/reginalddodd/
Affects:        pfSense software versions 2.4.x <= 2.4.3-p1, 2.3.x <= 2.3.5-p2
Corrected:      2018-08-27 13:31:46 UTC (pfSense/master, pfSense 2.4.4)
                2018-08-27 13:32:25 UTC (pfSense/RELENG_2_4_3, pfSense 2.4.3_x)
                2018-08-27 13:34:16 UTC (pfSense/RELENG_2_3_5, pfSense 2.3.5_x)
CVE Name:       CVE-2018-16055

0.   Revision History

v1.0  2018-08-28 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

An authenticated command injection vulnerability exists in status_interfaces.php
via dhcp_relinquish_lease() due to its passing user input from the $_POST
parameters "ifdescr" and "ipv" though to a shell execution without escaping the
contents of the variables. This allows an authenticated WebGUI user with
privileges for the affected page to execute commands in the context of the root
user when submitting a request to relinquish a DHCP lease for an interface which
is configured to obtain its address via DHCP.

III. Impact

A user who has been granted limited access to the pfSense software WebGUI
including access to status_interfaces.php could leverage this vulnerability to
gain increased privileges, read arbitrary files, execute commands, or perform
other alterations.

This is not relevant for admin-level users as there are other deliberate means
by which an administrator could run commands. Additionally, this is not relevant
on configurations which do not include an interface configured to obtain an
address via DHCP.

IV.  Workaround

The issue only affects interfaces configured for DHCP, thus a temporary change
to the interface configuration to use a static IP address would work around the
issue until an upgrade can be performed.

The issue can also be mitigated by preventing untrusted users from accessing the
affected page.

V.   Solution

Users can upgrade to version 2.4.4 or later. This upgrade may be performed in
the web interface or from the console.

   See https://www.netgate.com/docs/pfsense/install/upgrade-guide.html

Users, including those running 2.3.5-p2, may apply the relevant revisions below
using the System Patches package to obtain the fix.

   See https://www.netgate.com/docs/pfsense/development/system-patches.html

VI.  Correction details

The following list contains the correction revision commit ID for each
affected item.

Branch/path                                                        Revision
- - -------------------------------------------------------------------------
pfSense/master                     c45cac34db914f175dc3cbfed8119d08d08aa519
pfSense/RELENG_2_4_3               daedcb948a45b8df49d811885f150bdf1c7874f0
pfSense/RELENG_2_3_5               10f9a4a965a182050997e28ece509d841a1d0b2b
- - -------------------------------------------------------------------------

VII. References

<URL:https://www.netgate.com/docs/pfsense/install/upgrade-guide.html>
<URL:https://www.netgate.com/docs/pfsense/development/system-patches.html>

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-18_08.webgui.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAluGl98ACgkQE7mH/ZIU
+Nq6hRAAzJ3WfqEhavTy5WZQ+F5336Mh31BRSZdPXJyLh2hesePgmG9zcDjTMkjv
JDHJWxP3BtiyfvAn+G+3QwQpeFQBJyFXCXJ7ddKlulD4SfidO2CcF/SyqAtk02Y4
91/C2RGvvL2Q8lWa/duAqr2Ax7kFKkf7eLJKmCHqP4l3e/MTc1bzlDoJrCE0u7yN
3/7frL6STJ8uKlqFQiC2MAcBQFfQ81FEAqVdl/bldSAVhpFphR5LJDnuYq7SQB2l
un+XaLw0FUG/eGTmibygar9YMfRDC30m29LKnyQToEb00N32Y457eSt9y3LfTSnt
yCR5e7II9wzHFfntGLZML5CBIXjDy5WxkOuS/gDVc74tfTeMmcXh6NEIFSKkaBPk
b9u7OSkSAzNUXnDFburB4ML0hQTS1NX/s4gA61PABDBJY5GAo/sIUoJZx6qWfLOr
PJXfXezGq4mGxIZj2rTiBqaXCYrc3eXBJ8XSC2OZsSL2+uH5fLuMtr2UJClioYU7
+S7SexETKqB8eUc34RFKxjiWBx/9+tnFMvsEgwrTJIxka2BUjUOK8sccCMRR0Vox
Po+ncV5qiTLWWYS3obXZyMpGnVPQCaZz2BFMhxI0DcJpLTb5jCgKP7GgQXA8eLV2
qfZXKjHRvaJ94RMaHvE0ZJKlCrdCbyf8PgBhm34Tkp5JswEVX5s=
=zp0X
-----END PGP SIGNATURE-----