-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-19_08.webgui Security Advisory pfSense Topic: Privilege Escalation in the WebGUI Category: pfSense Base System Module: webgui Announced: 2019-05-20 Credits: Arnaud Cordier Affects: pfSense software versions <= 2.4.4-p2 Corrected: 2019-05-10 19:28:27 UTC (pfSense/master, pfSense 2.5.0) 2019-05-10 19:28:27 UTC (pfSense/RELENG_2_4_4, pfSense 2.4.4-pX) 0. Revision History v1.0 2019-05-20 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description When testing if a privilege matches a requested page, the path to the filename was not fully resolved before the check was performed. This allowed a directory traversal style attack to bypass privilege checks and gain elevated privileges. III. Impact An authenticated user with access to a page in the WebGUI could have used a directory traversal style attack to access other pages for which they did not have access, gaining elevated privileges. For example, a user granted access to "a.php" could have gained access to "b.php" by submitting a request for "a.php/../b.php". The privilege system matched "a.php" but the WebGUI served "b.php" to the client. Note that most browsers and HTTP clients will not allow this type of URL, so attacks are limited to clients such as cURL (using --path-as-is) or special purpose proxies which allow these requests. IV. Workaround Do not allow untrusted administrators access to the pfSense WebGUI. V. Solution Users can upgrade to version 2.4.4-p3 or later. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users may also apply the relevant revisions below using the System Patches package to obtain the fix. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master 0604f68855ff65b92cdebd57a08a2ceccbef675c pfSense/RELENG_2_4_4 ffe379addebcd980399502f31ecdb81e235b1ca5 - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAlzcKnoACgkQE7mH/ZIU +NokSRAAtLIK5/lkapuTz1ri3MTs+R+RsADORRlSYUvRvyZ8vPIZ3hZ43RIcz4kK 3GkeYkJapsIKdaPcpH3ji5SfqlBhusIya36V1riKaO0x57NkPtf4ycu/yazAAUAy /IAJ8rBenjPj134kflkRnuWK/5bmbJWKDF8xKSy5B4Ziu5Jy3kSJa7E1IDG/7udi qYE7VHuma/6ruLqw8cPSiJT+nML86qL2pazmWfi433VdG6WJ+aEF8W1Pr25taphG Lx5Ae62BFGJC7HMPIQsCEUbBAkZuboA2qXyMB7oqJNlzeylVM+qNYb3Dwgw53R8T MY6GvcN4HmiU5S/TPSBMKEXvY4zmD8tyFa4AVAOjt8OhtQYI/RhhOFx9clY9DQWp RNqnttsEGNbaIk5FYXQlReo9WnV5SsXC3VOwXIcSIT+FKZI+5mdSBnyav1XiPY2y o8LRj5s8My8sgqltmfyaqQk2TNYrEMQFOULICYoeuKgCEWHcClVn1sQUeMQlmTnI 97cCefpDM8/U2U12k8kI5Bhpulh406uI22yTaIrUYKwpdMx8XKyRUGFfJPRXzL80 Bv2ofYIsulGID9r75jloMlbxiRwPkGjFrAdut+T0Wq+yPYsMZnKNTLlTvQ5ehNYE u/Gl+8eV1x0o2jsCrA7+uqwsXyNHjBiGMTmpZYS/fDtO1q3l4FA= =ike0 -----END PGP SIGNATURE-----