-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
pfSense-SA-23_10.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Authenticated Command Execution in the WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2023-10-31
Credits:        Oskar Zeino-Mahmalat (Sonar)
CVE ID:         CVE-2023-42326
Affects:        pfSense Plus software versions <= 23.05.1
                pfSense CE software versions <= 2.7.0
Corrected:      2023-07-05 19:31:30 UTC (pfSense Plus master, 23.09)
                2023-07-05 19:31:30 UTC (pfSense CE master, 2.7.1)

0.   Revision History

v1.1  2023-11-16 Updated with CE 2.7.1 release information
v1.0  2023-10-31 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

pfSense® Plus is the productized version of pfSense software from Netgate®,
previously referred to as pfSense Factory Edition (FE). It is available to
Netgate appliance and CSP customers.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A potential authenticated arbitrary command execution vulnerability was found in
interfaces_gif_edit.php and interfaces_gre_edit.php, components of the pfSense
Plus and pfSense CE software GUI.

When creating or editing a GIF interface on interfaces_gif_edit.php or a GRE
interface on interfaces_gre_edit.php, the submitted POST "gifif" or "greif"
value is not validated. Subsequently, the value is passed to another
function where the submitted value is used in shell commands.

This problem is present on pfSense Plus version 23.05.1, pfSense CE version
2.7.0, and earlier versions of both.

III. Impact

Due to a lack of escaping on commands in the functions being called, it is
possible to execute arbitrary commands with a properly formatted submission
value for "gifif" or "greif" in POST operations.

The user must be logged in and have sufficient privileges to access
either interfaces_gif_edit.php or interfaces_gre_edit.php.

IV.  Workaround

To help mitigate the problem on older releases, use one or more of the
following:

* Limit access to the affected pages to trusted administrators only.
* Do not log into the firewall with the same browser used for non-
  administrative web browsing.

V.   Solution

Users can upgrade to pfSense Plus software version 23.09 or later, or pfSense CE
software version 2.7.1 or later. This upgrade may be performed in the web
interface or from the console.

  See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html

Users on pfSense Plus version 23.05.1 and pfSense CE version 2.7.0 may apply the
fix from the recommended patches list in the System Patches package.

Users may also manually apply the relevant revisions below using the System
Patches package on earlier versions, or by manually making similar changes to
the affected files if the patches do not apply directly.

  See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

VI.  Correction details

The following list contains the correction revision commit ID for each
affected item.

Branch/path                                                        Revision
- - -------------------------------------------------------------------------
plus/plus-master                   d69d6c8424ab4299234fb5ec6964682e2e6cbcdd
pfSense/master                     d69d6c8424ab4299234fb5ec6964682e2e6cbcdd
- - -------------------------------------------------------------------------

VII. References

<URL:https://redmine.pfsense.org/issues/14549>
<URL:https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html>
<URL:https://docs.netgate.com/pfsense/en/latest/development/system-patches.html>

The latest revision of this advisory is available at
<URL:https://docs.netgate.com/downloads/pfSense-SA-23_10.webgui.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmVWgnAACgkQE7mH/ZIU
+NrEog/9Gae75bLYRYokr/B2G431OsMlaF+xZ+VR7PyruzxbuZ3/inqiVNsAsBgl
rK3WzGbiqalKXKC7iqcqzMQDS/Mhgl18SPBgxkXeEKrq4zCxVxwZuakEostTo4se
X5eUKvfbGedLeEUEmqlzxTmXm7mPngXiVRmmRGyyQZrz1xJVxInqYOZNCtaTa5wa
jLAEKNQKyauA8ItjxnKeqvg7O4cxW0ruIRTivO7IwIUHPT2tvlHd15OGVD5m44tr
sYsJzRqydiGRjf2Fjb+kUD1U0zHJjFOCZ03Ac1u56byeA0hBhvI81hCGeL+rK4S+
vB258NOOfxqL+BFR72jD+0IWdEyW8DTDvu25vYWUzwzRJ9Btnrd2+S4P8fwiChmv
NwtfFmsm0Vyv7FpKsX1BUgDRyeePGzZVVolWA8LG7fdKaITxQGeLKAt5RAe/jgEl
GXgCCUxtcuEZ1Faqyzpqf4/pY3ugCIxZGwzydva1+Eni3cf0AM8qmMI/INQZPBrn
aoKHtAL55AFgahFLkgZ2EwHXqwnPVzDaXfvqIHdwdS/BSAhwc+aBrIXDBfXO4tN4
z5qs1Bv5XzYX1eMlPWUW2aVlyDYx8CJDU9yYPYDtSHZW/uZ/XyhBwDvs32HircOr
GrRU9yrw5TrdfVf1RGAjtrumtngKzAFSc3T6D3u4GiOrP+E00Zc=
=0PNL
-----END PGP SIGNATURE-----