-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
pfSense-SA-22_02.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Multiple vulnerabilities in the WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2022-01-12
Credits:        Abdel Adim 'smaury' Oisfi of Shielder (https://www.shielder.it)
CVE ID:         CVE-2021-41282
Affects:        pfSense CE software versions < 2.6.0
                pfSense Plus software versions < 22.01
Corrected:      2021-08-18 20:11:11 UTC (pfSense CE 2.6.0)
                2021-08-18 20:11:11 UTC (pfSense Plus 22.01)

0.   Revision History

v1.1  2022-03-08 Updated solution information
v1.0  2022-01-12 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

pfSense® Plus is the productized version of pfSense software from Netgate®,
previously referred to as pfSense Factory Edition (FE). It is available to
Netgate appliance and CSP customers.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

The diag_routes.php page in the pfSense CE and pfSense Plus software WebGUI
contains multiple vulnerabilities resulting from passing arbitrary user input in
the filter parameter as a pattern to the sed command. These problems are present
on pfSense CE version 2.5.2, pfSense Plus version 21.05.2, and earlier versions
of both.

The input passed to sed from the filter parameter was escaped to prevent direct
injection of shell commands but commands internal to sed patterns were still
possible (e.g. 'e', 'r', 'w'). By passing patterns to sed containing internal
sed command directives, the attacker could execute shell commands and read or
write arbitrary files.

III. Impact

An authenticated attacker with access the to affected page could execute
arbitrary shell commands, perform privilege escalation, information disclosure,
denial of service, or other negative outcomes.

IV.  Workaround

To help mitigate the problem on older releases, use one or more
of the following:

* Limit access to the affected pages to trusted administrators only.

V.   Solution

Users can upgrade to pfSense CE software version 2.6.0 or later when available,
or pfSense Plus software version 22.01 or later. This upgrade may be performed
in the web interface or from the console.

  See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html

Users on pfSense Plus version 21.05.2 or pfSense pfSense CE version 2.5.2 may
apply the fix from the recommended patches list in the System Patches package.

Users may also manually apply the relevant revisions below using the System
Patches package on pfSense pfSense Plus version 21.05.2 or pfSense CE version
2.5.2 and possibly on earlier versions.

  See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

VI.  Correction details

The following list contains the correction revision commit ID for each
affected item.

Branch/path                                                        Revision
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pfSense/master                     72ea2b69cc111d4bc8ebf1ccf1e1529923c5b88a
                                   57a737f172b7baaa6ae0f23e8aef2f93ad851054
                                   8cd3f92f2443a6f0e4b7964a9532f761f808a0c6
                                   cf757a8094762ede47861fc073eaba06355c6bfc
plus/plus-master                   72ea2b69cc111d4bc8ebf1ccf1e1529923c5b88a
                                   57a737f172b7baaa6ae0f23e8aef2f93ad851054
                                   8cd3f92f2443a6f0e4b7964a9532f761f808a0c6
                                   cf757a8094762ede47861fc073eaba06355c6bfc
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

VII. References

<URL:https://redmine.pfsense.org/issues/12257>
<URL:https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html>
<URL:https://docs.netgate.com/pfsense/en/latest/development/system-patches.html>

The latest revision of this advisory is available at
<URL:https://docs.netgate.com/downloads/pfSense-SA-22_02.webgui.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmInWRoACgkQE7mH/ZIU
+NoWiRAAx+PqZzQa/TUCezAkiNvFTMrVtzBG11ggqUxvS9XdXK5kkTftLKeFDOnD
zEI32xYPuCM6RlERZQfFmyCF5MAaz2Qcp4gs48dDkLHALrsfNbez/DoQoXGoGoRj
TJV+c9KOJ/04YDhFGI+ZJN6ESOFh16gLPHiavg2aLT5aSvOMgap16ySbx+pXUqYF
ZDVi1rokFpXXZRDVZJC/13SjejgON3COOMFIP3v3n2fOylh/wSFTRdoiTFs0+sji
VQ7E+BfCd9RitPBWaaGybCoS0ATni7L6KarCf7DbsW4w9b/GewkLmqe5ra083JT9
o1tNIbkDNBQG45W4K1lIWW8hJDw1DIVfIfwgUdhWAsL67LJbHSH5qTU75qWB3rV1
gvpIfQqcTYL6Qz/U92YyjO6HqY8AATRrRbjSU4IanH4CAiE63HoS/ljFl4GSKRO6
7eOx2mqu/Mz6GlY+I4RN5kHmEihSGtHiMDtaeQ8YPvO5UrGpcHO7oIbBRCSrNGVA
U6OM2ywQTOFwV6StFP1tvItTdrqzDt1WCBEJe2CZQdQXNB5vbT+ODO5XjuVM1gWP
cdnsFKNh7Ce5ugZ0G1u4ct2fyzHOdsZtzSH05gsLaEotQKAVQwjJS+ayRlLgv9WV
/LNyteaGqiUDIT+fn+sPvCFt9ogBC8JQT2Ro3bxOFY+0671tR9E=
=dPLl
-----END PGP SIGNATURE-----