-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-20_03.webgui Security Advisory pfSense Topic: XSS vulnerability in the WebGUI Category: pfSense Base System Module: webgui Announced: 2020-01-17 Credits: LoRexxar @ knownsec 404Team Affects: pfSense software versions <= 2.4.4-p3 Corrected: 2019-07-01 18:37:12 UTC (pfSense/master, pfSense 2.5.0) 2019-07-01 18:37:12 UTC (pfSense/RELENG_2_4_5, pfSense 2.4.5) CVE ID: CVE-2019-16914 0. Revision History v1.0 2020-01-17 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A Cross-Site Scripting (XSS) vulnerability was found in services_captiveportal_mac.php, a component of the pfSense software WebGUI, on version 2.4.4-p3 and earlier. The page did not encode the username or delmac parameters in its output, leading to a possible XSS. To take advantage of this XSS, the following prerequisites must be met: 1. There must be at least one Captive Portal zone defined 2. The attacker must know the name of a valid Captive Portal zone 3. There must be at least one pass-through MAC entry defined III. Impact Due to the lack of proper encoding on the affected parameters susceptible to XSS, arbitrary JavaScript could be executed in the user's browser. The user's session cookie or other information from the session may be compromised. IV. Workaround Remove all Pass-Through MAC entries in Captive Portal if the feature is not required. Disable Captive Portal if it is not required. To help mitigate the problem on older releases, use one or more of the following: * Do not give firewall administrators access to pages or functions which allow writing arbitrary files to the firewall. * Limit access to the affected pages to trusted administrators only. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to version 2.4.5 or later. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users may also apply the relevant revisions below using the System Patches package on pfSense 2.4.4-p3. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master d31362b69d5d52dc196dc72f66e830cd1e6e9a4f pfSense/RELENG_2_4_5 3c2cc702439f725bd04ad22cd7809bc6652258f9 - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAl6YpwAACgkQE7mH/ZIU +Nr49xAAhKRwJ6kZfl5AA9s/T4t2GQafGaADOPX2ErICAcGckm7rWpOP5593W3tL j9EBgkxgl1U/mhr+stzEZdjD1w8xF1N2djfkG0IBqX2xaTlmjn/1uu3pYAU4x8uQ ypTJRfaaHogblpC7ICSw5sYbHLYOdN3yAm+TpgZQiWF7Vm76kOmOXmmgGl7VyCJT 2ILOQOpFTvW8n/Zfp3wCMjiJLGbah4Lszk6cbPAjVk2hjoj1ys+TcE8iL4gcPHT9 vGAPAxZwp1fakGBoazHZ7n+S3nQnx+ioC/9izUteSLdyOguqAOCiTbPcYLaao+FP ilrdST4ZPgV4wK98dXxvV3pGJSEIINu0gDKCFftZVuPL1PM3yVLgPdYnd3eNld0+ eP5uCBSam+Ma5g5Bmnb5ZdxtVitcjIUldis/hFRzOhOOjZm2Ac3ILPE3b26FDAku VpJYNIThod/lqIwm2BNW6jHbUnXBGAlabMdSaEFpVkLGNkoeHIFXfmIYViwRMFMQ mmIzyjLcFwP37u7wxB0JZHA5fnQzeur87C0xOudKnPr9Wsr29LXHl55uQrpmXZx5 uRrRaP/a8GPzFWXAcNKTchatggqdy+wq8gRARr70faSd0pQSR7it3agICuRiiVJO Es2+U5/n7j20hdpgwc6UF7cdkEopXXd7VGE/IfwrdZ41EyfGkXM= =LzZ7 -----END PGP SIGNATURE-----