-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-20_05.webgui Security Advisory pfSense Topic: Authenticated Arbitrary File Read/Write in the WebGUI Category: pfSense Base System Module: webgui Announced: 2020-01-17 Credits: Loginsoft Ace Team - Security Research Affects: pfSense software versions <= 2.4.4-p3 Corrected: 2019-10-01 16:10:31 UTC (pfSense/master, pfSense 2.5.0) 2019-10-01 16:10:31 UTC (pfSense/RELENG_2_4_5, pfSense 2.4.5) 0. Revision History v1.0 2020-01-17 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description services_captiveportal.php did not fully validate custom logo and background image file uploads to ensure they contained image data. III. Impact An authenticated user granted access to services_captiveportal.php via their associated privileges, either directly or via group membership, could leverage this to execute arbitrary code, gain elevated privileges and make arbitrary changes to the firewall. IV. Workaround No workaround. To help mitigate the problem on older releases, use one or more of the following: * Do not give firewall administrators access to pages or functions which allow writing arbitrary files to the firewall. * Limit access to the affected pages to trusted administrators only. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to version 2.4.5 or later. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users may also apply the relevant revisions below using the System Patches package on pfSense 2.4.4-p3. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master 09d597434c9ccb456c8f207649dbe43fd5ff85db pfSense/RELENG_2_4_5 ce5ea3c4bd8f1dcf5b0139b13eb569e917dae79a - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAl4l9PIACgkQE7mH/ZIU +Np9NQ//fRniSfgV8186YnqVrur+SXZPVMXmF/Wv30I8R/N9Rw10LLTjPjXIz5rS bCNsli9S6kCtoHJV2GnoS0jsQjhK+xtAuHqGOl3xVCf2I3cTzetbXvSgnzWQARlZ uJT655JgJzGcYk4xDDo23kTFhiAVov4ubrtqgKc8HHYdRQHEaaWp/uQqnTWuOaV8 Eiyjmfwe1vVYG7m/SuRrVyymFhLbN6rBGdzFgdaYKgUyfmceZVRHtTyKm84L9mTL pQUH+7Oz3W6PP9uxZlXb5x3Tzmym0/2l8juV+8yCI44XDK3/Ic43Lvh73x3kpWWq cXRspHY73gNb3ZhYUBX+yaUJ8Ogx1CGjG1PqI1/DZHqbAyvDZoGUuYPhsCTa7gac SIrTwnZg4fL0/sF9Bi+tboN3XxOFFGJFNKEw/Pw0+qoiLcHw0/ecDz7ts86mydy5 shbbPb7tqxXgCdgVujB3wrfkYGgHZBVoqma1EoZNXGww5EYIrH8TS6Ht3iW8g4x/ Bc5wL36sTij86G1W9VOmEfOvj3gxbiV0CdtzyPQo1IQF05QecfJSY78eNvErSaTe nia6fMZ/8Tei4d/hbvXLuSu/PVm31rejRZ1RzTQBEv7X27oyLuLUBlPkjm2MyoA5 UPj1cwpPS59UjwcQ4LjBiInJkaVqG+WRWDFlI1y9D0hYzDN3bUE= =UlRo -----END PGP SIGNATURE-----