-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-22_03.webgui Security Advisory pfSense Topic: Multiple vulnerabilities in the WebGUI Category: pfSense Base System Module: webgui Announced: 2022-01-13 Credits: Yutaka WATANABE of Ierae Security, Inc. via JPCERT/CC CVE ID: CVE-2022-24299 Affects: pfSense Plus software versions < 22.01 pfSense CE software versions < 2.6.0 Corrected: 2022-01-14 17:24:32 UTC (pfSense Plus master) 2022-01-17 17:45:31 UTC (pfSense Plus 22.01) 2022-01-14 17:24:32 UTC (pfSense CE master) 2022-01-17 17:45:31 UTC (pfSense CE 2.6.0) 0. Revision History v1.2 2022-03-08 Removed JVN ID, added CVE ID, updated solution information. v1.1 2022-02-14 Fix Redmine link v1.0 2022-01-13 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description The vpn_openvpn_server.php and vpn_openvpn_client.php pages in the pfSense Plus and pfSense CE software GUI did not properly validate user input passed via the data_ciphers parameter in certain cases. This problems is present on pfSense Plus version 21.05.2, pfSense CE version 2.5.2, and earlier versions of both. When the client or server mode was set to p2p_shared_key, the GUI did not validate user input in the data_ciphers parameter but the backend code still included the value of data_ciphers in the OpenVPN configuration. By passing carefully crafted data including parameters which allow OpenVPN to execute scripts, an attacker could execute arbitrary shell commands and read or write arbitrary files. NOTE: The Custom Options field on OpenVPN client and server configuration pages also allows this type of action intentionally, but that field has a separate privilege which can limit access to prevent users from altering its contents. III. Impact An authenticated attacker with access the to affected page, even without access to the Custom Options field, could execute arbitrary shell commands, perform privilege escalation, information disclosure, denial of service, or other negative outcomes. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: * Limit access to the affected pages to trusted administrators only. V. Solution Users can upgrade to pfSense Plus software version 22.01 or later when available, or pfSense CE software version 2.6.0 or later. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 21.05.2 or pfSense pfSense CE version 2.5.2 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on pfSense pfSense Plus version 21.05.2 or pfSense CE version 2.5.2 and possibly on earlier versions. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ plus/plus-master 78ce96a9af3b2ab5159ef6623078bfc4b15f8a89 ba815f3d219e5bdf404be859e723db2ff0c9258c plus/plus-RELENG_22_01 68afc597b0545b57b605ae8200954b1b5a89bcad fae2f2d553f42479721db67fc4ff1ddb70caeffa pfSense/master 78ce96a9af3b2ab5159ef6623078bfc4b15f8a89 ba815f3d219e5bdf404be859e723db2ff0c9258c pfSense/RELENG_2_6_0 68afc597b0545b57b605ae8200954b1b5a89bcad fae2f2d553f42479721db67fc4ff1ddb70caeffa ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmInWR0ACgkQE7mH/ZIU +NrSRQ//TZ79u1qK8Mrrc7XFc79EZPJGS7z4lK0OuhJ3V+ygFqkZEYPKjxxOBFWK 8SVn4NlzMTmiEoa136JhS4ONc519LNpLa/kaM0F0vuLcu/DywWpuzU6z5QpDL9jX kDmA9lCzY4pDU53Uuy3FTXO6BMgQTWaIS16fcUz+s0DdZi0hweZQypSBYZe48zmJ uzeJwY0TnDVYgJjriBn/nj6SMnN2DtSZmj+CpfHzQwTsl4P9RLXhoEBW9Vu0gaS7 cP1eKWWdJ1th5+Pt6KCFOuMiiWJ8O3j31xXSSsWiWLo7sUdd9It6CejaVP3w8cmn tMOw4m2pyeB+/H2Ao6hxqsFXGZv5gFPeUcVP82sJihtWMM4aZkP/rDSqUDC6cJwV fJ3hwfEhpfLFcxhlSDKAlLJSTQ9+Gnc7+0uC3mEcuDoApXuEo8yE0c6suqSKKsEb qvQiYERXPHrmDI+4y0msuEYUGbETS71ibZbpykiy1CQEKnnipO63WkOZ1XkCtv9P fwbiCN3xjz+XFKvT5EKJwhp0o0UjyYJxTjD8CLKQny0koy6mlo5R3J+5BjjktgYV RjlJJIxuRvscmmlrumUcuZdnsiK8Uvkw0YODzfjabm5SIf0E0OXIIfNv2jxjCdSX 5jZUNF70lGqSVrUz9JEeH+OfpMkGLf4CE/cBYIE7rGC257tDcLE= =n7jy -----END PGP SIGNATURE-----