-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
pfSense-SA-23_04.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Authenticated Command Execution in the WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2023-02-15
Credits:        yelang123 of stealien
Affects:        pfSense Plus software versions <= 22.05
                pfSense CE software versions <= 2.6.0
Corrected:      2022-08-17 19:26:48 UTC (pfSense Plus master, 23.01)
                2022-08-17 20:06:09 UTC (pfSense Plus 22.05)
                2022-08-17 19:26:48 UTC (pfSense CE master, 2.7.0)
                2022-08-17 19:52:37 UTC (pfSense CE 2.6.0)

0.   Revision History

v1.1  2023-06-19 Updated with CE 2.7.0 release information
v1.0  2023-02-15 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

pfSense® Plus is the productized version of pfSense software from Netgate®,
previously referred to as pfSense Factory Edition (FE). It is available to
Netgate appliance and CSP customers.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A potential authenticated arbitrary command execution vulnerability was found in
status.php, a component of the pfSense Plus and pfSense CE software GUI.

If there is a file named '/tmp/rules.packages.|<command>|.txt', then when an
authenticated GUI user loads status.php, the GUI executes '<command>'.

This problem is present on pfSense Plus version 22.05.1, pfSense CE version
2.6.0, and earlier versions of both.

III. Impact

In combination with another bug that lets users write arbitrary files, a user
with sufficient privileges to access status.php could run a command directly or
trick another administrator with privileges into running a command.

The commands which work here are of limited use as other characters which might
make it more useful also make it fail to trigger. Furthermore, status.php is not
linked in the GUI and is typically only run under direction of TAC, so
opportunity for exploitation is fairly low.

IV.  Workaround

To help mitigate the problem on older releases, use one or more of the
following:

* Do not allow users access to pages or mechanisms which grant them the ability
  to create files with arbitrary names.
* Do not load status.php without first ensuring that the problematic files do
  not exist and that no other users are currently logged into the firewall.

V.   Solution

Users can upgrade to pfSense Plus software version 22.05.1 or later, or pfSense
CE software version 2.7.0 or later. This upgrade may be performed in the web
interface or from the console.

  See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html

Users on pfSense Plus version 22.05 and pfSense CE version 2.6.0 may apply the
fix from the recommended patches list in the System Patches package.

Users may also manually apply the relevant revisions below using the System
Patches package on earlier versions, or by manually making similar changes to
the affected files if the patches do not apply directly.

  See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

VI.  Correction details

The following list contains the correction revision commit ID for each
affected item.

Branch/path                                                        Revision
- - -------------------------------------------------------------------------
plus/plus-master                   4d9dd165e471394bb2ca520d56f8d8f9a82bb99a
plus/plus-RELENG_22_05             ac50cfa84188288776f0f6307b7f28c12c081c45
pfSense/master                     4d9dd165e471394bb2ca520d56f8d8f9a82bb99a
pfSense/RELENG_2_6_0               22f7276c167210f644cf586704ec21da22002bb2
- - -------------------------------------------------------------------------

VII. References

<URL:https://redmine.pfsense.org/issues/13426>
<URL:https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html>
<URL:https://docs.netgate.com/pfsense/en/latest/development/system-patches.html>

The latest revision of this advisory is available at
<URL:https://docs.netgate.com/downloads/pfSense-SA-23_04.webgui.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmSQer0ACgkQE7mH/ZIU
+NoyLQ/+IF+do8VYETSif+U1rFJ47bCWf5HES11L2V9wpX2HvMi7JX7cKGlykUvj
FbwET1iFaOwQEhJpvBYihsvZmSvWoocaP17310uDQzpPcvHleylByzwoOL9PyygF
RuoFUu7TMBKG7w+oLBbbzoyvES1Ki7+//jiZE+MPDFjPm4IUYzXnA84oSgMOQc9R
tTUbiJOaNnoGUao8D8z58rtp62Sx1pmZK+WxrRo8tIxJs37rCj89bRdivHsjFqby
Pg2kHPvPFYNrJVVqxc+PX1A4oYVHiT+Q6AcBMtKjWzFd3a5gV18A/foFMa6KWw9c
kr2cbpZaiAPbMvsxZTLthn8/IkFPU6KU/4Dj9CMWBqqj0m3odGNk4/E2mt69Iyqq
kn5fw6VVKVnzTIpmRtyvz9HebQoSokSVi0947XbpRSJFKUM4atL7qyQ2ZyJYTBg8
KuGjDhgJjmjrQpANbTjEBH8qiXRDSlS33DdjZrtzTp0y0LYJa45ItJHgZofBs5MD
K0asero2TMlm48fvycWho5bTLcExEDNNhUb4rTtvovexkZQlDq2/tpqbjSsqgKnh
sfLIp8IWnCr0Dub5zbqDujGEPD6bY6QOBI/hsTY3JeV+0tTPq4GyXwqTUyU6hXI3
rM7oCw+1a/Lr5rf+F7pneGc17s5NRC9UCq1TCMfoGJy+vPdtNs4=
=OZ32
-----END PGP SIGNATURE-----