-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
pfSense-SA-22_01.webgui                                     Security Advisory
                                                                      pfSense

Topic:          File overwrite vulnerability in the WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2022-01-12
Credits:        Yutaka WATANABE of Ierae Security, Inc. via JPCERT/CC
CVE ID:         CVE-2022-26019
Affects:        pfSense CE software versions < 2.6.0
                pfSense Plus software versions < 22.01
Corrected:      2021-08-06 15:40:00 UTC (pfSense CE 2.6.0)
                2021-08-06 15:40:30 UTC (pfSense Plus 22.01)

0.   Revision History

v1.1  2022-03-08 Removed JVN ID, added CVE ID, added missing commit hash,
                 updated solution information.
v1.0  2022-01-12 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

pfSense® Plus is the productized version of pfSense software from Netgate®,
previously referred to as pfSense Factory Edition (FE). It is available to
Netgate appliance and CSP customers.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

An arbitrary file overwrite vulnerability was found in services_ntpd_gps.php,
a component of the pfSense CE and pfSense Plus software WebGUI, on pfSense CE
version 2.5.2, pfSense Plus version 21.05.2, and earlier versions of both.

The gpsport parameter was not validated properly when set in
services_ntpd_gps.php or during NTP setup in services.inc. A relative path in
the parameter could have been leveraged to overwrite an existing file on the
firewall with the contents of the gpsinitcmd configuration parameter.

To exploit this, all of the following must be true:

* The attacker must have authenticated access to the GUI
* The attacker must have sufficient privileges to access
  services_ntpd_gps.php
* The attacker must have sufficient privileges to alter the firewall
  configuration
* "Check baud rate before sending init commands" on services_ntpd_gps.php must
  be unchecked

III. Impact

An attacker meeting all of the necessary conditions to exploit the vulnerability
could overwrite an existing file on the firewall with arbitrary contents. This
method could be used for code execution, privilege escalation, information
disclosure, denial of service, or other negative outcomes.

IV.  Workaround

To help mitigate the problem on older releases, use one or more
of the following:

* Limit access to the affected pages to trusted administrators only.

V.   Solution

Users can upgrade to pfSense CE software version 2.6.0 or later when available,
or pfSense Plus software version 22.01 or later. This upgrade may be performed
in the web interface or from the console.

  See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html

Users on pfSense Plus version 21.05.2 or pfSense pfSense CE version 2.5.2 may
apply the fix from the recommended patches list in the System Patches package.

Users may also manually apply the relevant revisions below using the System
Patches package on pfSense pfSense Plus version 21.05.2 or pfSense CE version
2.5.2 and possibly on earlier versions.

  See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

VI.  Correction details

The following list contains the correction revision commit ID for each
affected item.

Branch/path                                                        Revision
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
pfSense/master                     bf21f67bbe2d1694ad1ad72728623dded9ace426
                                   0d3747aaa90dc3ad7729b68be8c9727d44b743c7
                                   fbf4a07f41f93745850adf5a3b1ea345628693ab
plus/plus-master                   bf21f67bbe2d1694ad1ad72728623dded9ace426
                                   0d3747aaa90dc3ad7729b68be8c9727d44b743c7
                                   fbf4a07f41f93745850adf5a3b1ea345628693ab
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

VII. References

<URL:https://redmine.pfsense.org/issues/12191>
<URL:https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html>
<URL:https://docs.netgate.com/pfsense/en/latest/development/system-patches.html>

The latest revision of this advisory is available at
<URL:https://docs.netgate.com/downloads/pfSense-SA-22_01.webgui.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmInWRYACgkQE7mH/ZIU
+NrLZhAAibWli7PiTgy23f/ylrye5BDXtvqrNVbwMzChGm432r3k1XyYC0qtFujV
HD4dIHDhi0GO8dyZO0caMKpfkOs1q8ntfn12eJn7cUzusgoPNqwP8gfm/jNZEZ1A
nnYgVGGp1kfIv/YytHFlRhfQ93odAZ663R5kWWZ9ZzvHBvA4nOS+CApphGRmoQ5K
ItjbnfslBrrUpcUPgHQd6rBRiix8OGx5fNbrCv9G0+Vai0Jmw7mtuwan9UZyIwuJ
S3cyaz9jsuKiUcnK9oVfyuaWxSbN41fs3GkHdO+GMZk/sUPdLlIdVJmMwvRBhUbe
Sr//xUN1eMH8JUzScXttQZk2JScr+dgX1L2bJz2cCIo5ZLzJ4t8MqOhiXoJKxqqW
VySmej4a2tQGK3ZZSD+9aFhiJlYr9vSjWlAbAYkkPfoI+83qr/E3z+TPBc4JcPNx
wrzAMVdECAt1r3HNNNXwhdYZ+rHyr+SQ/jWeL8i6wRRvltOf/BygDzbTb/mqyR1B
Kl4ybMSgUayb0Tb8t7f6QWjqBKHcK8Ummini83Yv2/uEPzH2dtLwla+PZYIVoaqc
6hWHWGv8kDGEIQ64wU0FhArRIPEPMtDZd6coyaKEIVr7rSjbZ7hnkd5JR0PK0n6i
4X6M21wIEkv9jr8Ds5n97cWxXBVrVHIQwCfh8z/ESGg503MSHv0=
=WKlk
-----END PGP SIGNATURE-----