-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
pfSense-SA-14_15.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Multiple Command Injection Vulnerabilities in the
                pfSense WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2014-08-08
Credits:        Stefan Horlacher, Arcus Security GmbH
Affects:        pfSense <= 2.1.4
Corrected:      2014-08-06 19:26:41 UTC (pfsense/master)
                2014-08-06 19:26:41 UTC (pfsense/RELENG_2_1, pfSense 2.1.5)
CVE Name:       CVE-2014-6305

0.   Revision History

v1.0  2014-08-08 Initial release.
v1.1  2015-06-01 Added CVE ID.

I.   Background

pfSense is a free network firewall distribution.  pfSense is based on the
FreeBSD operating system with a custom kernel and other changes. pfSense
includes third-party free software packages for additional functionality.
pfSense provides most of the functionality of common commercial firewalls, and
much more.

pfSense includes a web interface for the configuration of all included
components. Knowledge of FreeBSD is not necessary. Unlike similar GNU/Linux-
based firewall distributions, there is no need for any UNIX knowledge.  The
command line is never used, and there is no need to ever manually edit any
rule sets.

The majority of pfSense users have never installed or used a stock FreeBSD
system. Users familiar with commercial firewalls will quickly understand the
web interface. Users unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

Multiple Command Injection vulnerabilities were discovered in the
pfSense WebGUI during a security audit.

* Command Injection in diag_testport.php
* Command Injection in services_dnsmasq.php

III. Impact

A user granted limited access to the pfSense WebGUI including access to
affected pages can leverage these vulnerabilities to gain increased
privileges, read arbitrary files, execute commands, or perform other
alterations.

The srcport value passed via POST on diag_testport.php is not properly
validated or sanitized. A specially-crafted string sent as the "srcport"
value can trigger the vulnerability.

The advanced options on the services_dnsmasq.php page are passed to dnsmasq
as command line parameters and they are not properly validated or sanitized.
A specially crafted string sent as the "custom_options" value can trigger
the vulnerability.

IV.  Workaround

No workaround is available. Upgrade to pfSense 2.1.5 or later which includes
fixes for these issues.

The issues may be mitigated by restricting access to the firewall GUI both
with firewall rules and by not allowing untrusted users to have accounts
with GUI access. Restrict GUI users such that they do not have access to
these pages.

The risk of such attacks being triggered remotely may also be lowered by not
using the same browser session for firewall management and general web
browsing.

V.   Solution

Upgrade to pfSense 2.1.5 upon its release. This may be performed in the
web interface or from the console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     46d3f6a6362e15e188b77d9992f59a9ff3afe781
                                   071f6059996bdb9d9d0a68082a14dc71c0fbabe6
pfSense/RELENG_2_1                 1de3a5dd51259be93371d6106f9f2ea689814d28
                                   52c67bc2d2681b79e6f46979c62367c3af8602b7
- - -------------------------------------------------------------------------

VII. References

None.

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-14_15.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVbGriAAoJEBO5h/2SFPja6ocP/RP5VyBMKlxYvDEJgl8QCuoV
0bISpYSKEufoBKo7Tu7cwCNXuZaoM7NHHVFJr4e0m8j+JgNRDLjpXob1aElL5zEp
DNb7rHVOS5xRni8lAMBrpLARf2wkNfZIgJ8z833GSDVshmopuC4jvv32atmrrRQo
VNLqBtQE8eYkK6GLvek2UCURj2DUPnSoYlkmYe5+W0zBQfZds3OcLvAtF2P8ULdO
VY9d/vZBlwojVAY47L/k1bEocqz73PXMnZzCkHEs0dMxHEp8IX9cLh/HeUNV2pD6
qgm7x7wjSQ55XrsxkpJr44/wpKW6V1d7QqXdX/4HDNoBunJlbX6t2KJ64+GdWZ+N
cjZGRNVr3zz+p819T3lp5c/I9NW7KcDzpkGU45gASsy9yM2UypEdlHIVBFEyHZ/r
ggPZrT+uUPCjiV+jYwYoxqk4w7BaN/DaeeRWl5GvPrDFl1y5hyg12SnwStc6Nz15
gN2HDvZy9xLEBmAzHy6Fuy5Y9fslnlWLgoc29BZNOkZrmaSqPl1cbU6P3Wy67HUP
ClII5DqeoMSWr4GabyvaymQRFt+LVrN/9Wwptrt493Mql74Q9FlWluxbzARE9hxy
W5fiLUuT26kDJKzGKXAFsr6Egy43RjIrPwTEM056OL+cBDEKgK86xJygqU2hF5Kj
mycHUvIYgR19RIhU6tKK
=4HIp
-----END PGP SIGNATURE-----