-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-22_04.webgui Security Advisory pfSense Topic: XSS vulnerability in the WebGUI Category: pfSense Base System Module: webgui Announced: 2022-01-25 Credits: Fabien MAISONNETTE (https://fr.linkedin.com/in/fabdotnet) CVE ID: CVE-2022-23993 Affects: pfSense Plus software versions < 22.01 pfSense CE software versions < 2.6.0 Corrected: 2022-01-25 13:38:21 UTC (pfSense Plus master) 2022-01-25 13:51:24 UTC (pfSense Plus 22.01) 2022-01-25 13:38:21 UTC (pfSense CE master) 2022-01-25 13:51:24 UTC (pfSense CE 2.6.0) 0. Revision History v1.1 2022-03-08 Updated solution information v1.0 2022-01-25 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A Cross-Site Scripting (XSS) vulnerability was found in pkg.php, a component of the pfSense Plus and pfSense CE software GUI. This problems is present on pfSense Plus version 21.05.2, pfSense CE version 2.5.2, and earlier versions of both. The page did not sanitize the contents of the pkg_filter parameter nor did it encode the output when it included the value of that parameter in the page, leading to a possible XSS. III. Impact Due to the lack of proper encoding on the affected parameters susceptible to XSS, arbitrary JavaScript could be executed in the user's browser. The user's session cookie or other information from the session may be compromised. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: * Limit access to the affected pages to trusted administrators only. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to pfSense Plus software version 22.01 or later when available, or pfSense CE software version 2.6.0 or later. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 21.05.2 or pfSense pfSense CE version 2.5.2 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on pfSense pfSense Plus version 21.05.2 or pfSense CE version 2.5.2 and possibly on earlier versions. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master 5d82cce0d615a76b738798577a28a15803e59aeb pfSense/RELENG_2_6_0 a9bdbd97984ff2ddefbceb2fe062fbe3a1c42d88 plus/plus-master 5d82cce0d615a76b738798577a28a15803e59aeb plus/plus-RELENG_22_01 a9bdbd97984ff2ddefbceb2fe062fbe3a1c42d88 - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmInWhoACgkQE7mH/ZIU +NoYQhAA3k8fWFWI3SVAFY9OPMMcU1HYwGLQix1BT2iYFxldIqwzT66k83k/MtTI FaSlAGx7kDKQp0tLEWfqPDS94a9/YZSL84P1+0lmWK23fZKjK0MKdya5wZS75Yqq SR5Ug0y/AOHe/07oowOON0+Ktqfq87ajKkrvA5xK9ZCOtZCPxh8OB6Ge+aFOVQZ7 FaDAshXSjkOUx99FhW5gxhn8hu00n9911uo275TxOY6qdWhp/AhW+3jJB4sFX36F lf9ZJ2YECVWfHKjFieKIgXOZ6cXZOnxKF07S0JjwXc8IPocrOo3+Lik/+jgKK1EU 865OV4tuo0vme31AQrKcm5MJe9y1jBP/XKHbDKyWaW/POY5ixn5aeuDTMj33iYS0 VRISLf38URYv45fYSYUvo2FIat5MTjureQnTdfoJBOYIqDVvnCM22qozHgOj7S4P N62wdl7yz3Y/q4Glod8F+Ldacv2fuOtLREnr4E1XaVIfuC2Mgb2wySng5hRb9kuY invRvyHvFzVLAQ6H4znyyBu1VAAeR+YFpfzxty2I2IhfScw2RmcejirSUjpFo7A0 o9KjZ7GkcT2Tc+PQmi+dniZVurjREdXpAUjq41ZfeMHlr6ENNWs/U79xfEAMfrGI WFN0CXASLNNQGt8KfO5Sq3y+C+0jSRB+w4GVZE8XdTJcV9F4K6I= =ZQL1 -----END PGP SIGNATURE-----