-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
pfSense-SA-20_01.webgui                                     Security Advisory
                                                                      pfSense

Topic:          XSS vulnerability in the WebGUI

Category:       pfSense Base System Package
Module:         webgui
Announced:      2020-01-17
Credits:        Tarantula Team (VinCSS LLC)
Affects:        pfSense software versions <= 2.4.4-p3 containing
                pfSense-Status_Monitoring base package < 1.7.8
Corrected:      2019-06-19 16:53:12 UTC (FreeBSD-ports/devel, pfSense 2.5.0)
                2019-06-19 16:53:12 UTC (FreeBSD-ports/RELENG_2_4_4, pfSense 2.4.4-pX)

0.   Revision History

v1.0  2020-01-17 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A Cross-Site Scripting (XSS) vulnerability was found in
rrd_fetch_json.php, a component of the pfSense software
WebGUI installed via the base installation package pfSense-Status_Monitoring.
Version 1.7.7 and earlier of this package include the vulnerable file and were
present on pfSense software version 2.4.4-p3 and earlier.

If rrd_fetch() called by the page in question produced an error, the error was
sent back in JSON without any encoding. If the user created a specially-crafted
set of parameters, the contents of the error may have included user input,
leading to a possible XSS.

III. Impact

Due to the lack of proper encoding on the affected parameters susceptible to
XSS, arbitrary JavaScript could be executed in the user's browser. The user's
session cookie or other information from the session may be compromised.

IV.  Workaround

No workaround. To help mitigate the problem on releases which cannot be updated
in this way, use one or more of the following:
* Do not give firewall administrators access to pages or functions which allow
  writing arbitrary files to the firewall.
* Limit access to the affected pages to trusted administrators only.
* Do not log into the firewall with the same browser used for non-
  administrative web browsing.

V.   Solution

Though the pfSense-Status_Monitoring package is included in base installations
of pfSense software, it may be updated independently. Version 1.7.8 and later
contain the corrected files.

Systems upgraded in-place to pfSense software version 2.4.4-p3 after the
corrected version of pfSense-Status_Monitoring was made available may already
contain the fixed version. Check the version number reported by "pkg info
pfSense-Status_Monitoring". If it is 1.7.8 or later, the installation is not
affected.

If the installed version of pfSense-Status_Monitoring is less than 1.7.8, then
update the pfSense-Status_Monitoring package version to the latest available
version as follows. From the console or SSH shell prompt, run the following
commands to update the pfSense-Status_Monitoring package:

  pkg update
  pkg upgrade -yf pfSense-Status_Monitoring

Users can also install or upgrade to pfSense software version 2.4.5 or later
which contains the corrected package. This upgrade may be performed in the web
interface or from the console.

  See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html

VI.  Correction details

The following list contains the correction revision commit ID for each
affected item.

Branch/path                                                        Revision
- - -------------------------------------------------------------------------
FreeBSD-ports/devel                c52e39222c61f5fa98cf384fcd86020e8fe53a49
FreeBSD-ports/RELENG_2_4_4         001bafe577fe343213a24c738fd5da6af79d0189
- - -------------------------------------------------------------------------

VII. References

<URL:https://redmine.pfsense.org/issues/9601>
<URL:https://github.com/tarantula-team/CVE-2019-12949/issues/1>
<URL:https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html>
<URL:https://docs.netgate.com/pfsense/en/latest/development/system-patches.html>

The latest revision of this advisory is available at
<URL:https://www.netgate.com/assets/downloads/advisories/pfSense-SA-20_01.webgui.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAl4l9N4ACgkQE7mH/ZIU
+No45xAA2aaPT7XHjOt+radvxbkBaU4XJ+fAYf0AACWoRi+wF0xLI3DO9lpVz4/2
nZ5g4nQJ5t69e6QSQatzAQS6vU5GmsRmVlbFDuyF5lFiapn22mgeUylybmJsNCnh
LD2mS38sMibtYC3DlJKEegIxZAmTMKYnZv3K1N494pISTu00RYj6B8KKs1ZtLsjy
yjv80Nqs2uh24LPure5zLklH1uv32RYT0ndgCaF3vSgy0Y5CU3fcs+BQfJrCcL+1
6/rPP6Kx+l4MrizcL79oH2vOchENEo+2bIeQvGLYRB/up04pLeT24vYIsFR2IOYU
1V5phfyhsyUDYfo0brfEf7AA6UM1oH7w0cFtPDS7BAuqYN/MiewQbUPHRmZYioYq
M1bQGc2NvMZS+mXdJTwyGMm3gMekebIfgix4LM0XRUmHf+9L7l5PD2WXh/1hPuXA
7pAovLvHM1XeIZbBhUdqkDJIyc5GbipIdnP41LOFbXwGPUZEexN+Dbhb9ngsK+bY
Q2imgGitY/E+VcuvCp19vT/PWrLZb4bH5bMb4Oh6ZGfhwtoZxBFVEfhNbGC//5I9
xi8qgofOk2ts6ejVbskQNEDgYGEdzqewVfCsjngv19ubUCYAWweokkxE//6i0lwx
byWZbHpclgQ0uXypImeZlotbPWeJI5DRgLb9YiKhTxa1zpblNrA=
=CRKr
-----END PGP SIGNATURE-----