-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-20_04.webgui Security Advisory pfSense Topic: Authenticated Arbitrary File Read/Write in the WebGUI Category: pfSense Base System Module: webgui Announced: 2020-01-17 Credits: Separate reports from LoRexxar @ knownsec 404Team & Loginsoft Ace Team - Security Research Affects: pfSense software versions <= 2.4.4-p3 Corrected: 2019-09-06 16:59:14 UTC (pfSense/master, pfSense 2.5.0) 2019-09-06 16:59:14 UTC (pfSense/RELENG_2_4_5, pfSense 2.4.5) CVE ID: CVE-2019-16915 0. Revision History v1.0 2020-01-17 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description The Picture Widget (picture.widget.php) widgetkey parameter accepted relative paths, which allowed for directory traversal. The file upload content was also not fully validated to ensure that it contained image data. III. Impact These issues, when combined, allowed an attacker to upload a PHP file with image headers to an arbitrary location. The uploaded file could then be executed or otherwise processed in unexpected ways. An authenticated user granted access to the picture widget via their associated privileges, either directly or via group membership, could leverage these flaws to execute arbitrary code, gain elevated privileges and make arbitrary changes to the firewall. IV. Workaround Delete /usr/local/www/widgets/widgets/picture.widget.php and/or remove the associated privileges from untrusted administrators. V. Solution Users can upgrade to version 2.4.5 or later. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users may also apply the relevant revisions below using the System Patches package on pfSense 2.4.4-p3. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master 2c544ac61ce98f716d50b8e5961d7dfba66804b5 42839d824d51cad3a8a55fccb2dc96368568ce8e pfSense/RELENG_2_4_5 e0bd07fdae37d92427eda1c429569fcc1cc27185 ac9e8f8b893bc3f298a007bc2a362c1fff36fb61 - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAl6YpwcACgkQE7mH/ZIU +NoRmhAAke1FMBqArimWKVm+0WyYwKFmkux3CwLsHEAo7eoSuRJT6PAfMW8pmIQl KdEt2NlzwB7v1J0glSdajYsyytMlW3fZxsGRqxJqQL8izrJ/XgW1L7aF9OQ65v88 JSD28/5GbetqCQ3Uk0mWMtYtWbeoAGjMdkBZYa2gYO0PNvxm57XRsszBiKTa8I/e 9F0KJjHGLSIoafMv0zgtUdlATvfJ/MfZ1D4tuXlPRJCH2Atw6LC0V2GToL2LKojP o+qgmCJyAKrNHVaXkX0oxJiGQpSJm/pppd0WR9V12oC01IpHV1PnVpPgz6UAehs5 C0lAFE/ejYM3J9kgXqrnjx1f1owBKHBKAyA4zhILlaQx2Dvaz/jTaBtopi+5EJ8c 93bDumJHh9wVAct4sW5kEsv+CPPBfLv80vMkMEXL4sFqs8x8o6Rvh9Iawyg5ymyp PzYiZMKg+vjCoanBDxcTH/9ed30nrC7gghswqimVppCKqfhncV60d0BRMNMGz+JX Z4tifL0UVCDrmU78lltjUZilPKj7ttt3gAEPO/Nqgd9Lo1XTr5/yflxV/530M81U 9JVAd+2Myi+V6fxT3zcRlCMALDcMjpU4A9D++ejps2SM7shsEeqRc1M9N9YZZ4DM Iitg/LEeWsmByvW3s3lriY5Rpd+B4ubODiVUuVwQ/XUDHiOPM7E= =rdRH -----END PGP SIGNATURE-----