-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
pfSense-SA-23_11.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Authenticated Command Execution in the WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2023-10-31
Credits:        Joint researchers (Byeongcheol Choi, Jinyong Lee, PWNLAB@KHU)
Affects:        pfSense Plus software versions <= 23.05.1
                pfSense CE software versions <= 2.7.0
Corrected:      2023-09-25 14:59:01 UTC (pfSense Plus master, 23.09)
                2023-09-25 14:59:01 UTC (pfSense CE master, 2.7.1)

0.   Revision History

v1.1  2023-11-16 Updated with CE 2.7.1 release information
v1.0  2023-10-31 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

pfSense® Plus is the productized version of pfSense software from Netgate®,
previously referred to as pfSense Factory Edition (FE). It is available to
Netgate appliance and CSP customers.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A potential authenticated arbitrary command execution vulnerability was found in
packet_capture.php, a component of the pfSense Plus and pfSense CE software GUI.

When performing a packet capture on packet_capture.php, the submitted POST
"count" or "length" values are not validated. Subsequently, the submitted values
are used in shell commands.

This problem is present on pfSense Plus version 23.05.1, pfSense CE version
2.7.0, and earlier versions of both.

III. Impact

Due to a lack of escaping on commands in the functions being called, it is
possible to execute arbitrary commands with a properly formatted submission
value for "count" or "length" in POST operations.

The user must be logged in and have sufficient privileges to access
either packet_capture.php.

IV.  Workaround

To help mitigate the problem on older releases, use one or more of the
following:

* Limit access to the affected pages to trusted administrators only.
* Do not log into the firewall with the same browser used for non-
  administrative web browsing.

V.   Solution

Users can upgrade to pfSense Plus software version 23.09 or later, or pfSense CE
software version 2.7.1 or later. This upgrade may be performed in the web
interface or from the console.

  See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html

Users on pfSense Plus version 23.05.1 and pfSense CE version 2.7.0 may apply the
fix from the recommended patches list in the System Patches package.

Users may also manually apply the relevant revisions below using the System
Patches package on earlier versions, or by manually making similar changes to
the affected files if the patches do not apply directly.

  See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

VI.  Correction details

The following list contains the correction revision commit ID for each
affected item.

Branch/path                                                        Revision
- - -------------------------------------------------------------------------
plus/plus-master                   f72618c4abb61ea6346938d0c93df9078736b775
pfSense/master                     f72618c4abb61ea6346938d0c93df9078736b775
- - -------------------------------------------------------------------------

VII. References

<URL:https://redmine.pfsense.org/issues/14809>
<URL:https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html>
<URL:https://docs.netgate.com/pfsense/en/latest/development/system-patches.html>

The latest revision of this advisory is available at
<URL:https://docs.netgate.com/downloads/pfSense-SA-23_11.webgui.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmVWgnEACgkQE7mH/ZIU
+NpF3BAA1dmzScj6U5R3+GFp8SuxLD4oSnLw9choSK6du8VNZiCyEgtZjEH1+x6K
HGXGs6gYsg/1703fOP3l+mHtEYpkLRuYaYylVNISTMT4n8ttVkNXGr2yGkYWbkvY
Hku5Q4j4AeR4MtY76MSoCrV7F4jkCYjGBNQ2ATR2AO7y1+wJDShcSUI2xLhwRE9l
Pni9aT78/J15405ybB8tddboW6vvDMQyXomXWJ31Oy8JbU9sQ0yv4YIJNU6RwTD9
iUCuDFzaD6/zSQYJOGa76iZYOdC++/RPXpvc/AuwrkUgYK2RN5/b6DpyfPqk1Afj
hhHa4IvuqF/H8JCVtwFhjanO08zuv4VWnefZ7kqnEqNTHoZDXj8JVpk5oVNRJymH
LZ1wCU/MJE1N1sLWh3B8K8TWCLylZzYUEG7yIX9Vjy6B3Ay2itmw2/kWQCG7P70k
aj4HqqiJUeekBWtzRNABs5Kxk70NwQlExNLUB8hxLVEcNQl1f2QT3nqmt2ADG5oL
x/iTp9QHmY51rFYJ4V08ImeKJNpOQRes3Wm1hAEmqCdibCXagXEWIgemAGVg+QQR
SQBCE5ajbRwP8uZ7I7nRyTaocwh8RCoiuPTMP49sSfz4beOWC91ozRX/GRGbbvd1
LqMLWXsqYc0chjay4Y+yxUnzP1BlRUPPQb4aD99g9wb3o1+Y6eY=
=Yzy9
-----END PGP SIGNATURE-----