-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-19_07.webgui Security Advisory pfSense Topic: Privilege Escalation in the WebGUI Category: pfSense Base System Module: webgui Announced: 2019-05-20 Credits: Netgate Affects: pfSense software versions <= 2.4.4-p2 Corrected: 2019-05-09 20:39:46 UTC (pfSense/master, pfSense 2.5.0) 2019-05-09 20:39:46 UTC (pfSense/RELENG_2_4_4, pfSense 2.4.4-pX) 0. Revision History v1.0 2019-05-20 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description The privileges for access to the dashboard (page-dashboard-all) and for direct access to dashboard widgets (page-dashboard-widgets) contained a match clause for widget files with a leading wildcard. This allowed the URL to be manipulated in a way which could have been used to gain elevated privileges. III. Impact Authenticated users with these privileges could access pages for which they had not been granted access by appending a string to the URL ending in ".widget.php", for example: https://x.x.x.x/diag_backup.php?a.widget.php Authenticated users could have used this behavior to gain elevated privileges and perform actions allowed by any page in the WebGUI. IV. Workaround Remove the associated privileges from untrusted administrators. V. Solution Users can upgrade to version 2.4.4-p3 or later. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users may also apply the relevant revisions below using the System Patches package to obtain the fix. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master bc319bc01a4d709b39e4c93c7223d277ee666bff pfSense/RELENG_2_4_4 2d7ec8bfddb1ddac51426d03f59f3cdc5b8086a2 - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAlzcKncACgkQE7mH/ZIU +NqaPw//StKg8bzfjqWD9Ax6VIE3iN5UAK3mmabICeQvIaatb44/v4CaL4YeQqhU Nj52lIC2HopJHUOODe+Bhhmv9fDnhDJ2x+OqBgoWwUOewsR8MNSIIbmfRsNh0Uwz yDNJE/76FWRRqIRgKVIh6pecJhtRMTMJYOkD2Rle6Wg6fQj2fUjjcPioxopaLktu L1BsJCxaUVWJm4MfwyJCBDmVl0Tc1LXcJTjes69mbEdaZb7F8WfsCKXPfwJXS/4T l2YFkGOEmpYawitJrMOV3VQ+/BTsnpZ8iJnRD48/+7dyKs4HZpWvNTIA0EVNogtq MwbL4p24lDgbUoIyOTfKabxMAnljXe9cURSMXvvDYGtj7EAZK2/q6eHqBVEfImlD T31tgw0GdgImqGETNJMWVrUaQiDlfnXI3SIokzMsQFSczx9zyu23T3c99q2D3hbl YBbmiuterJUkgyQ2pxD3uo1+cTmvPdd8Jio1fQb/4/ZTDA1T4rPsORqP8yMfOkxs LdRDho32UQknHJa+lQ3temgkMj1E6svVA77LICd3MTlkBrolhZRulaXbsVXFfwnR KZL39Smlscic+NnCCA38y2CscLRdCLsH0SvXBvZ+KTucxJQpgWRiPGFtcEyEYU5S 9eJDxuzpb7oy+9jR8KXi/ykmjUKsdThoE5fnnokrwPRh3t4+Dqw= =VIwN -----END PGP SIGNATURE-----