-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-21_02.captiveportal Security Advisory pfSense Topic: XSS vulnerability in the WebGUI Category: pfSense Base System Module: webgui Announced: 2021-04-22 Credits: Yutaka WATANABE of Ierae Security Inc. via JPCERT/CC CVE ID: CVE-2021-20729 Affects: pfSense CE software versions <= 2.5.2 pfSense Plus software versions <= 21.05 Corrected: 2021-07-20 16:22:34 UTC (pfSense CE 2.6.0) 2021-07-20 16:22:34 UTC (pfSense Plus 2.5.x) 2021-07-20 16:24:45 UTC (pfSense Plus 21.09) 2021-07-20 16:36:29 UTC (pfSense Plus 21.05.x) 0. Revision History v1.2 2022-03-08 Updated SA URL, updated solution information. v1.1 2021-08-05 Updated SA with additional correction information v1.0 2021-05-24 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A Cross-Site Scripting (XSS) vulnerability was found in Captive Portal, a component of pfSense CE and pfSense Plus software, on pfSense CE version 2.5.2, pfSense Plus version 21.05, and earlier versions of both. Additional corrections were necessary beyond those initially made for pfSense CE version 2.5.2 and pfSense Plus version 21.05. The Captive Portal page presented to clients at login did not validate the contents of the redirurl field, nor did it encode the output when passed an arbitrary value, leading to a possible XSS. III. Impact If a logged-in captive portal user visits a manually crafted URL for the Captive Portal login page which contains a malicious value for redirurl, and then follows the resulting link, it could lead to arbitrary JavaScript code being executed in their browser. This is possible due to the lack of proper encoding on the affected parameters susceptible to XSS. The user's session cookie or other information from the session may be compromised. Note that has no effect on the security of the firewall or Captive Portal system itself as this only applies to Captive Portal user sessions and the client web browser. The Captive Portal login session itself is restricted by IP address and, by default, also by MAC address. Thus the user's Captive Portal login session could not be compromised via JavaScript, but there may be other client and/or browser-specific concerns. IV. Workaround None. V. Solution Users can upgrade to pfSense CE software version 2.6.0 or later when available, or pfSense Plus software version 21.05.1 or later. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense pfSense CE version 2.5.2 may apply the fix from the recommended patches list in the System Patches package. Users on versions before pfSense pfSense CE version 2.5.2 or on pfSense Plus version 21.05, and possibly on earlier versions, can apply the commit hashes manually using the System Patches package. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- pfSense/master de9ba32bd3531ccf74e143391deaacb77e085097 pfSense/master 9fc1648ef349d6a657e29ceb2c3dfb70967adb3f pfSense/RELENG_2_5_1 697a99c1e176b2f546460fc124a6e15075e5ef49 pfSense/RELENG_2_5_2 c416f6fab10f149b15a352dfb609f86a98f6103d plus/plus-master de9ba32bd3531ccf74e143391deaacb77e085097 plus/plus-master 9fc1648ef349d6a657e29ceb2c3dfb70967adb3f plus/plus-RELENG_21_05 de9ba32bd3531ccf74e143391deaacb77e085097 plus/plus-RELENG_21_05_1 407efc7e6735814c6e454ba6126fc3cc6c56e1eb - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmInWREACgkQE7mH/ZIU +NokZQ//V4kG51JWcK1ePcfX4BW98Byr4cBiR/j2A4oBFrXFJRd85rDVJdGTtXL5 b8jzqnNW4TiK6CMCUIHfZgw8sQqZcFJ1OY3P9XQ9x0ZfeCykXymaPxJIarUh0UzV djzj+ExATozqCZe6NTLx+GjH24BZGR041q/OTN4IBNPAhwwsp7RvxSY03bdb9YtS 3+tyNluOjPud7B6E6KOh6LEPB6ZPjGjxvspAoZqmnOAeKLnibcOaSs3hWohaoAl1 x7lBpH6qXudke0fnZ9Q9FneG6StHPvEqtefbu0Ur76tl1KuTI4S8VvfVoyf+UVj0 o6Bl+u9Yicm9YgDmMWExqk9dFEL77VZOGJO3eDQ0qMmc+pprHge5/Tcaz9C/iLd5 ufLvCITnIQjnaoTXuq0XXY2NNTqa8bU1Eh7nnxydhgTwy46mXvSnWYib6qqxrkP0 d5xmWar7EKCfZdRD38f6neuS1ig6vG/Nn2xB6+ovS6OyD3W3Pc+oWlRmYFKvJ7sD 6cHi3DcEnIkl5wnQ8ApBmg0sI9HBdN4+MEE0ieORggbSQXdbdzR1pdkxwtq5cOxX urC+zJpeGWyE8zPHatrisW2Dh6BlojWofarC7xPOwioTb5yBM2J5wPcpD1Sbjg4n EuRdhL/+Prj1oMnhe3vNXUd3FgJqGP98mZdeyANzOFs6Td6X5c4= =1SGh -----END PGP SIGNATURE-----