-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-23_05.webgui Security Advisory pfSense Topic: Anti-brute force protection bypass Category: pfSense Base System Module: webgui Announced: 2023-02-15 Credits: Fabien MAISONNETTE (Alstom) https://fr.linkedin.com/in/fabdotnet Affects: pfSense Plus software versions <= 22.05.1 pfSense CE software versions <= 2.6.0 Corrected: 2022-10-18 15:14:51 UTC (pfSense Plus master, 23.01) 2023-01-12 16:12:48 UTC (pfSense Plus 22.05) 2023-01-13 15:24:03 UTC (pfSense Plus 22.05.1) 2022-10-18 15:14:51 UTC (pfSense CE master) 2023-01-12 16:12:37 UTC (pfSense CE 2.6.0) 0. Revision History v1.0 2023-02-15 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description The authentication system attempts to be informative and print extra information along with IP addresses to completely identify where a user logs in from when they login using the GUI. This includes the authentication source (e.g. local database, LDAP or RADIUS, authentication server name), plus contents of proxy headers X-Forwarded-For and Client-IP to further clarify the exact user location. This extra information is printed after the IP address of the remote user in various places, including log messages for authentication. In the case of GUI login failures, the log entries included the contents of the proxy headers (X-Forwarded-For or Client-IP) submitted by the client. This extra information confused the sshguard authentication log parser which made it fail to recognize the client IP address in authentication error messages. III. Impact Login protection managed by sshguard, such as preventing brute force attempts, may not be enforced depending on the content of the request headers in GUI authentication attempts, which may allow an attacker to continue GUI login attempts indefinitely. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: * Do not expose the WebGUI service to untrusted networks. * Use strong authentication credentials * Do not use the default accounts for management V. Solution Users can upgrade to pfSense Plus software version 23.01 or later, or pfSense CE software versions after 2.6.0 when available. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 22.05, pfSense Plus version 22.05.1, and pfSense CE version 2.6.0 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on earlier versions, or by manually making similar changes to the affected files if the patches do not apply directly. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master 9633ec324eada0b870962d3682d264be577edc66 plus/plus-RELENG_22_05 6b53dc764a9f3147f7e714b217274447d7ffdeda plus/plus-RELENG_22_05_01 14c6644326eb55fd4ab3e6ec6fb598031eb4509b pfSense/master 9633ec324eada0b870962d3682d264be577edc66 pfSense/RELENG_2_6_0 70bfd0fda18012a01547a4eeff17c22c0adf8503 - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmPr0uEACgkQE7mH/ZIU +NqVHBAAw2KUI8RpZrlQDa4M/hx05aBrQrZOZ0zGU+4Jld6pUqcVFXL+8g8coJcS nEDJpkTu4AUQAqJzAb39eqSR+YPsIb/nt5oz3EwlFhDcg7/3XGPe9r6VR5dPyNwO 3jxtyPYkl01ioPlKHStXh3hDdwB+Mus74+jbT5eKRkkDtHzhoYIitpZCzTkW5hQa WtxAu5KOKoPE2egrbUTjCXToAsTvfmb4iPUjumFcdUTswr5b3MDzYG4/uWRc5aA9 OcS4XDd4hnjUWpq2ieBx7vV+leFWKq3OxN2/rQHaAFyD2xFpWFTPS90FT02hjXP9 ReLUm3z5/Qd2OuIKPWU9orJgDxJg4qxQIPAzAmjkWNAskrUTyOWUp6OwoAZxAcV4 qXawx7MVnb3TijWuWGIQ57sZP8DYK6Uj995kcTtFWCHmSElF7yd5dHJZ3kG406wv eUfnvPDaRxY/50Pwyjh0krZnKzMOPQ2zZgoJ68OFDrG40epuqTGOajdqJ+rfiYta i6HXRWQ9LMBJw3sGvDcWZYYX2SiHSWkoZypaLRnXhEJOnU8huG4VGZad3sFO3oPD H6xogWAb9Cv64HLsX6tz2PE1EoRXgbIUedMDRdCrXOR10ndOQxhbow8MHZnNUYNL sx4gfGhliPHN9V3CCOzkl5V5xHRFzeZpsEBxxtIiZmssnoC0UI4= =e5/q -----END PGP SIGNATURE-----