-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
pfSense-SA-16_05.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Arbitrary Code Execution

Category:       pfSense Base System
Module:         webgui
Announced:      2016-05-24
Credits:        Patrick Ungeheuer
Affects:        pfSense <= 2.3.1
Corrected:      2016-05-20 16:13:15 UTC (pfSense/master, pfSense 2.4)
                2016-05-20 16:13:49 UTC (pfSense/RELENG_2_3, pfSense 2.3.x)
                2016-05-20 16:13:53 UTC (pfSense/RELENG_2_3_1, pfSense 2.3.1_x)


0.   Revision History

v1.0  2016-05-24 Initial release

I.   Background

The pfSense® system is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense system includes third-party free software
packages for additional functionality, and provides most of the functionality
of common commercial firewalls.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

Command-injection vulnerabilities exist in diag_smart.php and diag_routes.php.
These allow authenticated WebGUI users with privileges for diag_smart.php or
diag_routes.php to execute commands in the context of the root user.

III. Impact

A user on pfSense version 2.3.1 or earlier, granted limited access to the
pfSense web configurator GUI including access to diag_smart.php and
diag_routes.php via their associated privileges: "WebCfg - Diagnostics:
S.M.A.R.T. Status" and "WebCfg - Diagnostics: Routing Tables" respectively,
could leverage these vulnerabilities to gain increased privileges, read other
files, execute commands, or perform other alterations.

This is not relevant for admin-level users as there are other deliberate means
by which an administrator could run commands.

IV.  Workaround

The issues can be mitigated by restricting access to the firewall GUI both with
firewall rules and by not allowing untrusted users to have accounts with GUI
access, and by not granting untrusted administrators access to the pages in
question.

V.   Solution

Upgrade to pfSense 2.3.1_1. This may be performed in the web interface or from the
console.

   See https://doc.pfsense.org/index.php/Upgrade_Guide

VI.  Correction details

The following list contains the correction revision numbers for each
affected item.

Branch/path                                                      Revision
- - -------------------------------------------------------------------------
pfSense/master                     335f1a8977cf0f711c712864379773e410e996a5
                                   0e4e4251ebf09937e7069a94f5faef51bbe15fac
                                   a3013ca688ce6e8b506fa2a5c6251f77778e39bc
pfSense/RELENG_2_3                 1e5239d102e75d0df1f7a2e8a9988073f3fbad2f
                                   5c4b89a468f608be63fc9aa05729e4a7f39ccd58
                                   b1952073387c6cd48a32623260285df5d67e11ee
pfSense/RELENG_2_3_1               12563b0cb9496cce317f563a60cd7afcba2afd7a
                                   2333d2a48293d4d5ffab335d1904586c69a050ee
                                   94d882a03ddf128f7519e54a6c2322ef812590f2
- - -------------------------------------------------------------------------

VII. References

None.

The latest revision of this advisory is available at
<URL:https://pfsense.org/security/advisories/pfSense-SA-16_05.webgui.asc>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJXRJxEAAoJEBO5h/2SFPja1ogP/2PN42MakS0sbjbjt5F/32dA
niljYECal048FJ2T64GAASuTvEZkYgoTxZZTFa8rfWTcLm9evpl2HH41mhwJmR46
YkQZil+w8OUVQA7s4okqdgoNhi0zYszLcob4qEvWD4rTMZ3xg2WtA/JvtXgJtDFi
AlkFdNPq6l6/H7NYLqtDIBIVye6PPldSc90kss93vg8G8iPeGUFvoAzbQGrwRhm9
N1fHu0LkLVYAdVQRQSKmmZz5ESGR1b46EJabSrm9Vyka/kTyBV2GQb5fI6vB2ECi
5Lt6xdoEl4/gobRpvNL6PgeS3F3YONgjzEPbJHuxXKYglKx/9kvYN0EOaKd9wKva
Pqd2y+ZNi+9f0hDP0yftzVewyoit5zKvMRy0qt8z0TBreP7uUvj9Ygwl1j4HOuGd
sDylJQ7J3vZ5BDyjfuUzyspbIh1QT9vTQOROkoM9YmMUdfs4eK3vp7EKD1zN3Y9j
nUEQdPzBI9NgewGNj3UrvXA+NTbj2FujYXJIbqsEFPeiIcjwrliCJ6aTM/0XMk+U
9A+l14MwJy8FJuKeLCyBpf+/d5DKBiU0RGZkRFK7bUmXvrMRRnFGzn7QBuZsBa1P
f+H728YzljlNiVIQzywTAJVcLZCl8lerfV/G3642NUoonanq/IYz3mlS9iA/8wlR
qSc9f6gXETOjq0Gmmd/O
=3QBG
-----END PGP SIGNATURE-----