-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
pfSense-SA-19_06.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Authenticated Arbitrary Code Execution in the WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2019-05-20
Credits:        Bill Marquette
Affects:        pfSense software versions <= 2.4.4-p2
Corrected:      2019-05-13 15:01:28 UTC (pfSense/master, pfSense 2.5.0)
                2019-05-13 15:01:28 UTC (pfSense/RELENG_2_4_4, pfSense 2.4.4-pX)

0.   Revision History

v1.0  2019-05-20 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

The OpenVPN server (vpn_openvpn_server.php), client (vpn_openvpn_client.php),
and client-specific override (vpn_openvpn_csc.php) pages on pfSense allow
authenticated administrators to enter custom advanced options which are passed
through as-is to the OpenVPN configuration file. These parameters can include
directives such as "up" which are able to run arbitrary binaries when specific
events occur in OpenVPN.

III. Impact

Allowing these advanced parameters is an intended feature. However, an
administrator may not expect that by allowing a lower-privilege user access to
these pages that the lower-privilege user may use the advanced options to
execute arbitrary code.

An authenticated user granted access to these pages via their associated
privileges, either directly or via group membership, could leverage these
directives to gain elevated privileges and make arbitrary changes to the
firewall.

IV.  Workaround

Remove the associated privileges from untrusted administrators.

V.   Solution

On pfSense 2.4.4-p3 and later a new privilege has been created which
administrators can use to selectively grant access to edit the OpenVPN advanced
options on these pages. This new privilege also contains a warning that granting
it to users effectively gives them full administrative access.

Existing users on pfSense 2.4.4-p3 with limited access to the pages will still
be able to make changes on these pages but they will no longer be able to edit
the contents of advanced options.

The admin account and users granted admin-equivalent access via the page-all
privilege are not limited and may continue to edit OpenVPN advanced options.

Upgrade to version 2.4.4-p3 or later to obtain the corrections. The upgrade may
be performed in the web interface or from the console.

  See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html

Users may also apply the relevant revisions below using the System Patches
package to obtain the fix.

  See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

VI.  Correction details

The following list contains the correction revision commit ID for each
affected item.

Branch/path                                                        Revision
- - -------------------------------------------------------------------------
pfSense/master                     f75b0eb8e781570a84e8700b150e09e081ccacfe
                                   4a1841a1fabcba0100f6a4f505fc1e132c29da20
                                   b8ca6554d022e99921835a2fdb35103f41a7302e
pfSense/RELENG_2_4_4               a8a07cfbb40a6134d47626cb81d249cf45c1df64
                                   92d5396f044bb1ccd78f2f1faf54474ec80bfd0e
                                   0dd99de71d45ba3a5dcfe6d63c12b7a3b235743c
- - -------------------------------------------------------------------------

VII. References

<URL:https://redmine.pfsense.org/issues/9511>
<URL:https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html>
<URL:https://docs.netgate.com/pfsense/en/latest/development/system-patches.html>

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-19_06.webgui.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAlzcKnQACgkQE7mH/ZIU
+Noviw/9FG/ku0kPDlYZDriXGevxbNA4lX9FrfGSlEcwTnBGCp3V1lAIX2F+nmAd
YJGtE3RQnTnVv9O71g+6ZqhxPaU4GWNeGN/+XelorfmOCfEwSrJNxr78ok75kM0q
XSrIEEvbSxNm+ERIYbrsIvwmecmGrlwMPk66R4+CKHm8bJeUpT6mT60SBTQnDO9F
2GixjTFDLHF2BTQv/bLCxMXYNpWSch2gvurAcbWAQiPEnz2Q8uqu7QzlTk59v4GY
R833JbXLIKQ0uAx6oS7wS9p4cm2HeXJNC9XgIJz0/C2b625xS5tQmdz2wvslNCzv
g5sBTxWGDIKCyOiUn53yX9uxFsLee8qOeDp1MdqMPG/rIHTzBqFvi6nBNmimsp9A
lWbHgWTJdn4rUgvyWiAp30Lcaz37l/o5ImO6gps2PcSsRN1zEpI2JIfX3oOwvmAK
miWj6BRHvW2qVWzXeW1mp5JhhlXc/6SoL9NGAJVz/OneXmMCJCWL4/08kpXlojwn
G3d3gwxoSWYdkNhp5TCJifwrc9zxGPMK/Y2fNucyiRXJED20VIYlQFLGA3RgpEz+
G9mwjTEcK49MZ/BauW1fKWxbrK1ra+PTFi37NdI8hUKsZUCw/MoouuKcgaTrRkim
ERoJA8vgMvSJdrE/bHPzQCvAvX0/+VMtVvul7OCNGPErnC95y7k=
=lQSI
-----END PGP SIGNATURE-----