-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-23_05.webgui Security Advisory pfSense Topic: Anti-brute force protection bypass Category: pfSense Base System Module: webgui Announced: 2023-02-15 Credits: Fabien MAISONNETTE (Alstom) https://fr.linkedin.com/in/fabdotnet Affects: pfSense Plus software versions <= 22.05.1 pfSense CE software versions <= 2.6.0 Corrected: 2022-10-18 15:14:51 UTC (pfSense Plus master, 23.01) 2023-01-12 16:12:48 UTC (pfSense Plus 22.05) 2023-01-13 15:24:03 UTC (pfSense Plus 22.05.1) 2022-10-18 15:14:51 UTC (pfSense CE master, 2.7.0) 2023-01-12 16:12:37 UTC (pfSense CE 2.6.0) 0. Revision History v1.1 2023-06-19 Updated with CE 2.7.0 release information v1.0 2023-02-15 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description The authentication system attempts to be informative and print extra information along with IP addresses to completely identify where a user logs in from when they login using the GUI. This includes the authentication source (e.g. local database, LDAP or RADIUS, authentication server name), plus contents of proxy headers X-Forwarded-For and Client-IP to further clarify the exact user location. This extra information is printed after the IP address of the remote user in various places, including log messages for authentication. In the case of GUI login failures, the log entries included the contents of the proxy headers (X-Forwarded-For or Client-IP) submitted by the client. This extra information confused the sshguard authentication log parser which made it fail to recognize the client IP address in authentication error messages. III. Impact Login protection managed by sshguard, such as preventing brute force attempts, may not be enforced depending on the content of the request headers in GUI authentication attempts, which may allow an attacker to continue GUI login attempts indefinitely. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: * Do not expose the WebGUI service to untrusted networks. * Use strong authentication credentials * Do not use the default accounts for management V. Solution Users can upgrade to pfSense Plus software version 23.01 or later, or pfSense CE software version 2.7.0 or later. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 22.05, pfSense Plus version 22.05.1, and pfSense CE version 2.6.0 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on earlier versions, or by manually making similar changes to the affected files if the patches do not apply directly. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master 9633ec324eada0b870962d3682d264be577edc66 plus/plus-RELENG_22_05 6b53dc764a9f3147f7e714b217274447d7ffdeda plus/plus-RELENG_22_05_01 14c6644326eb55fd4ab3e6ec6fb598031eb4509b pfSense/master 9633ec324eada0b870962d3682d264be577edc66 pfSense/RELENG_2_6_0 70bfd0fda18012a01547a4eeff17c22c0adf8503 - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmSQer0ACgkQE7mH/ZIU +NoCrQ/+I9vxQLPwpHZlvAaoRk3KSusOVs70eIr8smHAmkWhAdhvtWy+K7+j8tg8 yrx/2bSMi1h8KMpuUfr1/4Wfekv6MsBBgJ/iIuLMWXqXJCeXMjDhdNq0wd2+CYEO lPXHU+UHAjafYuVqUGrgMaf9h333CfNDV4u6J+R54YzNdX6hT2yAnzKf8m2c42yJ UIZ8gP2jb2G1M6zvT7jMBqyI12/1DkeE3ihtNa14kG7WT4/F+v+XEH88HyZBt8GJ wdRv4tG8Pi5HGFgVq1J6Mag6N2TwHwMVREmhxhvynxM4NdOZIFaEq6gNZfazTiDL Y5pAbyKYZ1pSZHW9aeCdtYLQLuiph5Xc5+H6aWLwY6L2E7K2F+TTa1FGzk4dXFA8 NzH7VrTodIONYGqPS+J8Fdg1Sio2OHSs7Ym5aZzbnF/Z+hmOmhtMLlhisBcQj6GJ ZYBClRWIQFMJygjHv2Wyf3TTFbXOPV7yxTaLTzWnt7AbNQPCDRSI0lZUy2CMN5+o 9nC4mo2ny9rpr2jl/FcxD+F8ZW9D843tD1czemxMd9Yi2gP4UXr8vz1KiYdPCmPD 0Up4/dDCyr27F1irjLNbAUGhNpcyn9po3Q9s5qjjHFw2GyATf/XRS8fVxa/6k7RD dkojVGN16oPKZD7+m0Mlzlky626/Dx6qLoLrR/83UsoWx+YjdWY= =3Orj -----END PGP SIGNATURE-----