-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
pfSense-SA-21_01.webgui                                     Security Advisory
                                                                      pfSense

Topic:          XSS vulnerability in the WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2021-03-03
Credits:        William Costa
CVE ID:         CVE-2021-27933
Affects:        pfSense CE software versions <= 2.5.0
                pfSense Plus software versions <= 21.02-p1
Corrected:      2021-03-03 19:14:04 UTC (pfSense CE 2.6.0)
                2021-03-03 19:15:33 UTC (pfSense CE 2.5.1)
                2021-03-03 19:14:04 UTC (pfSense Plus 21.05)
                2021-03-03 19:15:33 UTC (pfSense Plus 21.02.2)

0.   Revision History

v1.1  2021-04-27 Added CVE ID
v1.0  2021-03-18 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

pfSense® Plus is the productized version of pfSense software from Netgate®,
previously referred to as pfSense Factory Edition (FE). It is available to
Netgate appliance and CSP customers.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A stored Cross-Site Scripting (XSS) vulnerability was found in services_wol.php,
a component of the pfSense CE and pfSense Plus software WebGUI, on pfSense CE
version 2.5.0, pfSense Plus version 21.02-p1, and earlier versions of both.

The page did not validate the contents of the Description field for Wake on LAN
entries, nor did it encode the output when using the "Wake All Devices" function
which prints this value, leading to a possible XSS.

III. Impact

Due to the lack of proper encoding on the affected parameters susceptible to
XSS, arbitrary JavaScript could be executed in the user's browser. The user's
session cookie or other information from the session may be compromised.

IV.  Workaround

To help mitigate the problem on older releases, use one or more
of the following:
* Limit access to the affected pages to trusted administrators only.
* Do not log into the firewall with the same browser used for non-
  administrative web browsing.

V.   Solution

Users can upgrade to pfSense CE software version 2.5.1 or later, or pfSense Plus
software version 21.02.2 or later. This upgrade may be performed in the web
interface or from the console.

  See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html

Users may also apply the relevant revisions below using the System Patches
package on pfSense pfSense CE version 2.5.0, pfSense Plus version 21.02-p1.

  See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

VI.  Correction details

The following list contains the correction revision commit ID for each
affected item.

Branch/path                                                        Revision
- - -------------------------------------------------------------------------
pfSense/master                     2e94828cd021a8f0fd1a89475f6e0f4bb2f5805f
pfSense/RELENG_2_5_1               ae3d339719484be1011aecc9e81896c6d837cdb9
plus/plus-master                   2e94828cd021a8f0fd1a89475f6e0f4bb2f5805f
plus/plus-RELENG_21_02_2           ae3d339719484be1011aecc9e81896c6d837cdb9
- - -------------------------------------------------------------------------

VII. References

<URL:https://redmine.pfsense.org/issues/11616>
<URL:https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html>
<URL:https://docs.netgate.com/pfsense/en/latest/development/system-patches.html>

The latest revision of this advisory is available at
<URL:https://www.netgate.com/assets/downloads/advisories/pfSense-SA-21_01.webgui.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmCIW/AACgkQE7mH/ZIU
+NprnA/+Mj+13g4ZYYZu9cRgKg6W+leq33X16cBY0G2wenbfuKDv3mktsFXzOk4t
zW//KUkTL3OaYiopywa/pjtCNRRiDiQ4fERJpLOOtR9Ykw6Huy8RWN75dZf2oFDx
H3hp73M0INXHR62RG6vUyT+ykPb+FYkvt2ZxA4+WPGYzItw4ouh9kIz0k7Sq+i5y
OkB+ZhzQtmXmZ+9jklqMglqzMH+ZtilYQz59JWSeXjvzppeyccaozYE5KhRCrYmF
Pi7GsO4sbkaW13PB/v1Ob93L8vlcZb5hfp0rlCwNv+3Rm1j0XUuNC1a1Exep/qiw
XfTau74afrgwt98DxkZAfRGtCJvfdAq0dGdjHzuklh23A9hQ+Za23OC1PdgvAEc3
SmEAP/oBEhuwTHyVv5w1TOv6Ad9zOR4vfSRqgRd9BRKszkuWPk5IWHcUJ77tBFt8
xn5+OS6b+vveGW9Fy8ltK86wEqEhTku6HehBz0xcQp1xawPsXzw49z2lKbpWWaks
Nyh2MPxSJSC0v+sNtvGxpTDKK+GjLsG1DN8eKAjduHutlTbsvj1YVb5rfP1K6eTz
0a5SuJ2VtKoBq1JMyuc7Uh5FlG5MKciDuiqslgFp8oiNMCB1WqOwUMk0XPZm07Rb
QuzvOi9mztv3Ku6qs2ZnbGD+WETNCSYxvRwoZr0ADCPbxDE98MI=
=f+d7
-----END PGP SIGNATURE-----