-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-18_09.webgui Security Advisory pfSense Topic: Authenticated Arbitrary Code Execution Category: pfSense Base System Module: webgui Announced: 2018-11-15 Credits: Brandon Stultz of Cisco Talos Affects: pfSense software versions 2.4.x <= 2.4.4 Corrected: 2018-10-23 17:13:32 UTC (pfSense/master, pfSense 2.4.5) 2018-10-23 17:13:32 UTC (pfSense/RELENG_2_4_4, pfSense 2.4.4_x) CVE Name: CVE-2018-4019, CVE-2018-4020, CVE-2018-4021 Other Refs: TALOS-2018-0690 0. Revision History v1.0 2018-11-15 Initial SA draft v1.1 2018-12-03 Corrected Credit I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description An authenticated command injection vulnerability exists in system_advanced_misc.php via the $_POST parameters "powerd_ac_mode", "powerd_battery_mode", and "powerd_normal_mode". This is due to a lack of validation on the input, which was then passed from the affeceted $_POST parameters through to a shell execution without escaping the contents of the variables. This allowed an authenticated WebGUI user with privileges for the affected page to execute commands in the context of the root user when the powerd settings are applied, which happens when the page is saved and at boot time. III. Impact A user who has been granted limited access to the pfSense software WebGUI including access to system_advanced_misc.php could leverage this vulnerability to gain increased privileges, read arbitrary files, execute commands, or perform other alterations. This is not relevant for admin-level users as there are other deliberate means by which an administrator could run commands. IV. Workaround The issue can be mitigated by preventing untrusted users from accessing the affected page. V. Solution Users can upgrade to version 2.4.4-p1 or later. This upgrade may be performed in the web interface or from the console. See https://www.netgate.com/docs/pfsense/install/upgrade-guide.html Users may also apply the relevant revisions below using the System Patches package to obtain the fix. See https://www.netgate.com/docs/pfsense/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master 3be699295e5cb7be24cc5361700be1a8b759e26c pfSense/RELENG_2_4_4 c95a79d324e8785ae3567a84871dce0ebd1290ea - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAlwFX4YACgkQE7mH/ZIU +Nr0dRAAptW++9z6n+AXIC144rp9QQo5FUw1PYRumRXSrUFa9aBtDz+Q7PneP35A /jqw05kNvr32T7DRkW92cHiVfiUpf4+aech88/7Rc0IihYUBNIy3wlcT13FFVa8U WEVXLmBQM3KbXq/omDKysNE8v9OaYojUjWmvsDvI/7wsImYyZ8pJ+/IY4X3RAer8 8/+0z31KBBGMPEV02fTLVMMjN7b+b+jrBaKNZFcPpZUsCWuYOxJw7OHZi/02VpgD dzMdY0cuzG2DlzsUfjDG9pu54yVVckCc/fX2kbmUTuVWgTCyG0RRuk2yCzHrhozh aIxn+eCzLl7dQRtNu9xZgZrvkBRbhBUq+Akt+jhwuO7YbIztZ7f3tn34s+F/c020 Cyhw7GF6c+XXEHtejkv9J+sxYWz7xBhIkpu3Vj8bVlwgu+4JAFlpZassH46eAGpg 2UoDZLw3GtF+HGdullz8nd+I6qhvws5BPBXZx+z7kCmTIztkHNQhWPC7QRCdu73f 9AXhd4bulbnFctlFCLGKurxYreGZ8dlDzwK4Pc9o9hBUZpvi38hW4MMQmcEIQD6H QkKucMJS4LhUq/XqJv8YlF2sToDIHHdS7W4Sk2zfcR76Y+4WfmauwHzM0/FHZvWC QZmmIvsGLzpQgwWIQCCUy+3JfUVxpyJYJfDEDX0cdA98ftWbN8E= =SHdk -----END PGP SIGNATURE-----