-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
pfSense-SA-19_02.sshguard                                   Security Advisory
                                                                      pfSense

Topic:          Anti-brute force protection bypass

Category:       pfSense Base System
Module:         sshguard
Announced:      2019-05-20
Credits:        Joshua Sign
Affects:        pfSense software versions <= 2.4.4-p2
Corrected:      2019-03-12 19:46:28 UTC (pfSense/master, pfSense 2.5.0)
                2019-03-12 19:46:28 UTC (pfSense/RELENG_2_4_4, pfSense 2.4.4-pX)
                2019-03-12 19:42:27 UTC (freebsd-ports/devel, pfSense 2.5.0)
                2019-03-12 19:42:27 UTC (freebsd-ports/RELENG_2_4_4, pfSense 2.4.4-pX)
CVE Name:       CVE-2018-20798, CVE-2018-20799

0.   Revision History

v1.0  2019-05-20 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

The sshguard service on pfSense was customized to use multiple tables to track
brute force login attempts: One table for SSH, and another for the WebGUI. If an
attacker was blocked from one service due to repeated failed attempts, sshguard
would not add an entry to the other table. In this situation it believed the
attacker was already blocked, and it did not need to block them again.

A cron job was present that cleared entries from these tables after an hour.
However, the sshguard service manages table entries itself, removing them when
it believes it is safe. If the cron job removed an entry and the attacker made
further attempts to gain access, sshguard would not add the entry back until it
had expired internally.

III. Impact

The multiple table issue allowed an attack against one service to continue
unchecked when the attacker had been blocked from the other service.

The cron issue could lead to an attacker not being blocked if they continued to
attack during the window between when the cron job removed an entry and when
sshguard believed the entry should be removed.

IV.  Workaround

No workaround. To help mitigate the problem on older releases, use one or more
of the following:
* Do not expose the SSH or WebGUI services to untrusted networks.
* Use key-based authentication for SSH
* Use strong authentication credentials
* Do not use the default accounts for management

V.   Solution

Users can upgrade to version 2.4.4-p3 or later. This upgrade may be performed in
the web interface or from the console.

  See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html

VI.  Correction details

The following list contains the correction revision commit ID for each
affected item.

Branch/path                                                        Revision
- - -------------------------------------------------------------------------
pfSense/master                     555a9ab5c01101ddab7daa41f35d379d1c39b26e
                                   7a68df5efc35b6d1ee514bb87a2298f5180de001
                                   397d9fff6df234d98ef2353b0b29912a14777442
pfSense/RELENG_2_4_4               d67449c6a3b6075a9ec4120842fa596e054a3826
                                   922a1ae3d9d822bf68f17448756b1e2783d0cf85
                                   f1caf190d5b5b0ca3cbd08e0f4db18a4f2763fa0
freebsd-ports/devel:               67b3d882c97c23ededf163bb4a5440683b4991ef
                                   d46f36406a5de308d36051f240143f2e1b8ce07c
                                   c68cad6a5481b2cbff431109546a2df7a6df874d
freebsd-ports/RELENG_2_4_4         ada635723fd0b17f2981d00f3bd07a2a0f2ed89b
                                   83633659d573c8a454dc40ca4add1ed5936b3e18
                                   5ad58d5a3caf8973b6250a889d00536f43620897
- - -------------------------------------------------------------------------

VII. References

<URL:https://redmine.pfsense.org/issues/9223>
<URL:https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html>

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-19_02.sshguard.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAlzcKmgACgkQE7mH/ZIU
+Nor6g//QTozT97s56hBNx0tiKWM67eAGBVy23B64DEOsxntzQkhqd5+xlMK0UsK
nhN4NT7Z5KRM6Of50fqAxQH+C/qBT/XiLF0bwFXXb0KOrW5EHcMph0dKQ4UYJTH2
dWtcXoinR+1Iobz9CM1olga7B+g6EhANhcLQffDeniSxyG7MnbNo0NTD1m5w1pAj
c3AGpbTQzQ2CPBAp78y9kQFMDhIF4VZwY9TVvulEaSdTwiHke0tftTRXYZIYsGiM
9tC0oMZdH+gQpIbkHugmz9re0/ImZcjidX1r/E6s1HxpK2W4oVa4kQjE/SG2UNL+
Si92GAzr58qCB6amgQjZKU//a6fURpif688+nkyEjnClcDFon7SZENOYxDlpV+Ph
PHx7MOil/kbqsAyouVGbQMwoyorqLeasYPtg3QlhtzbyJWDRiv1o3eTA4puLhaqK
QTl1DF6RJihKNeulS850d94Dp8yVWO23dsQDPCBoNupo2RG5Ea4xfquppaewDR1e
/kz+KNsBxBF5mJeJYC6oCJk07gOukVVpI38a7OfHZhDdvY+ZVMTyZ8qJR78JNwoP
WAS+CPLyybOLBj9vusTDkEDBI5jwVWgpG7QKYJOe2W+KGNAhX4HhOn0uQ10H6ubA
RwVBPy1+wYiUiK/7e3EfaQU/Lb44xNBAQY7JrRQqw3q73it+0hc=
=8YfI
-----END PGP SIGNATURE-----