-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
pfSense-SA-23_02.webgui                                     Security Advisory
                                                                      pfSense

Topic:          XSS vulnerability in the WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2023-02-15
Credits:        Yuya Chudo, N.F.Laboratories Inc.
CVE ID:         CVE-2022-37417
Affects:        pfSense Plus software versions <= 22.05
                pfSense CE software versions <= 2.6.0
Corrected:      2022-08-01 17:19:00 UTC (pfSense Plus master, 23.01)
                2022-08-17 20:06:07 UTC (pfSense Plus 22.05.x)
                2022-08-01 17:19:00 UTC (pfSense CE master, 2.7.0)
                2022-08-17 19:52:24 UTC (pfSense CE 2.6.0)

0.   Revision History

v1.1  2023-06-19 Updated with CE 2.7.0 release information
v1.0  2023-02-15 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

pfSense® Plus is the productized version of pfSense software from Netgate®,
previously referred to as pfSense Factory Edition (FE). It is available to
Netgate appliance and CSP customers.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A potential Cross-Site Scripting (XSS) vulnerability was found in
system_camanager.php and system_certmanager.php, components of the pfSense Plus
and pfSense CE software GUI.

In both cases, the page did not validate or sanitize the description of CA or
certificate entries when editing and saving existing entries. Existing
validation covered other actions. There are several places around the GUI which
display CA and Certificate descriptions without encoding.

This problem is present on pfSense Plus version 22.05, pfSense CE version
2.6.0, and earlier versions of both.

III. Impact

Due to the lack of proper encoding on the affected parameters susceptible to
XSS, arbitrary JavaScript could be executed in the user's browser. The user's
session cookie or other information from the session may be compromised.

IV.  Workaround

To help mitigate the problem on older releases, use one or more of the
following:

* Limit access to the affected pages to trusted administrators only.
* Do not log into the firewall with the same browser used for non-
  administrative web browsing.

V.   Solution

Users can upgrade to pfSense Plus software version 22.05.1 or later, or pfSense
CE software version 2.7.0 or later. This upgrade may be performed
in the web interface or from the console.

  See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html

Users on pfSense Plus version 22.05 and pfSense CE version 2.6.0 may apply the
fix from the recommended patches list in the System Patches package.

Users may also manually apply the relevant revisions below using the System
Patches package on earlier versions, or by manually making similar changes to
the affected files if the patches do not apply directly.

  See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

VI.  Correction details

The following list contains the correction revision commit ID for each
affected item.

Branch/path                                                        Revision
- - -------------------------------------------------------------------------
plus/plus-master                   2fe0e0fab528be3e297ed14ddd9d9e73c99cc1c4
plus/plus-RELENG_22_05             bbc457ee85890bea21142a72a1e88050c5c71a39
pfSense/master                     2fe0e0fab528be3e297ed14ddd9d9e73c99cc1c4
pfSense/RELENG_2_6_0               7c54d26e60fe524df63277da77c07e995bc3b351
- - -------------------------------------------------------------------------

VII. References

<URL:https://redmine.pfsense.org/issues/13387>
<URL:https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html>
<URL:https://docs.netgate.com/pfsense/en/latest/development/system-patches.html>

The latest revision of this advisory is available at
<URL:https://docs.netgate.com/downloads/pfSense-SA-23_02.webgui.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmSQerQACgkQE7mH/ZIU
+Np8mRAAlnUghMt418P1tVdUd/FUsJPUuduyS+REn7P9ML8slDvb9rxrI5JErzQA
d9LB47m3i0mawkE+HXEolNgkt/P3zHY+pnk5TIrg9YTF3JC8+ww/II9QXhnJ6JQ5
fw1+e6n75gfAyvz5HDZm92RQUXa0rc9ElJW8pXG0K9Iovhr4/sKDQz6QPtOTgC6V
ixEnJRW+/Y9iQcrngPY9xp8DCDgOG2TCSzFy8n3uZHI0rpevwaH6OpOa4JMXGKzT
eZms7T3ltM+58mIZj7NKSr7k/f0u2QI19RdzzI3MAXoa6pviUg+mLwa62MY/DdYp
hBLjSB6CQD7Mcw8V8fNa4UMRha/X7Vliz9KJ+5Rtew4PXhXehA5FtDHm7whk9c8g
mXy8rnVvj5VkI1KQ0gudHA97hnXHpX0gL7sj+Y3jilVwZ7e2J/YXs+R+5lk544HC
EwY0GPbn9QKnwtNpquvVHcYxV66loH1UUL+N2GKaRmKZipUEsJy6qCGeUs4OQax2
2Bhj/jhW/bOc0IysufW8Qfs7RHV+MuCmIh7eYdqPVn4W8GKBsSWoGAX2gs/LJJ6N
ZKlozYRvk4xIqYtBEMDrrN/P5KCarxKPMigegq38TEz1uADxdqpYZx+PXaeUaweu
bXdHfjaQU/jKWAmaU18ZPJWeXoOIRcvsEEv6KpQP0LD4v1gJrmU=
=Ligq
-----END PGP SIGNATURE-----