-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
pfSense-SA-23_06.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Authenticated Command Execution in the WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2023-05-11
Credits:        The UK's National Cyber Security Centre (NCSC)
Affects:        pfSense Plus software versions <= 23.01
                pfSense CE software versions <= 2.6.0
Corrected:      2023-02-28 20:54:00 UTC (pfSense Plus master, 23.05)
                2023-02-28 20:54:00 UTC (pfSense CE master)

0.   Revision History

v1.0  2023-05-11 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

pfSense® Plus is the productized version of pfSense software from Netgate®,
previously referred to as pfSense Factory Edition (FE). It is available to
Netgate appliance and CSP customers.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A potential authenticated arbitrary command execution vulnerability was found in
interfaces_bridge_edit.php, a component of the pfSense Plus and pfSense CE
software GUI.

When creating or editing a bridge interface on interfaces_bridge_edit.php, the
submitted POST "bridgeif" value is used before it is validated. Subsequently,
that function calls others which in turn use the submitted interface name in
shell commands.

Due to a lack of escaping on commands in the functions being called, it is
possible to execute arbitrary commands with a properly formatted submission
value for "bridgeif" in POST operations.

This problem is present on pfSense Plus version 23.01, pfSense CE version
2.6.0, and earlier versions of both.

III. Impact

A user with sufficient privileges to access interfaces_bridge_edit.php may be
able to execute arbitrary shell commands.

IV.  Workaround

To help mitigate the problem on older releases, use one or more
of the following:

* Limit access to the affected pages to trusted administrators only.

V.   Solution

Users can upgrade to pfSense Plus software version 23.05 or later, or pfSense
CE software versions after 2.6.0 when available. This upgrade may be performed
in the web interface or from the console.

  See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html

Users on pfSense Plus version 23.01, 22.05.x, and pfSense CE version 2.6.0 may
apply the fix from the recommended patches list in the System Patches package.

Users may also manually apply the relevant revisions below using the System
Patches package on earlier versions, or by manually making similar changes to
the affected files if the patches do not apply directly.

  See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

VI.  Correction details

The following list contains the correction revision commit ID for each
affected item.

Branch/path                                                        Revision
- - -------------------------------------------------------------------------
plus/plus-master                   c5b8e57aa51ff82b45bd6cb925ba512f4c01dcba
pfSense/master                     c5b8e57aa51ff82b45bd6cb925ba512f4c01dcba
- - -------------------------------------------------------------------------

VII. References

<URL:https://redmine.pfsense.org/issues/14052>
<URL:https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html>
<URL:https://docs.netgate.com/pfsense/en/latest/development/system-patches.html>

The latest revision of this advisory is available at
<URL:https://docs.netgate.com/downloads/pfSense-SA-23_06.webgui.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmRbq+cACgkQE7mH/ZIU
+NpeIBAA1S7PeLFKFzTNOPOF6HTtXrcsePbA1GoxXCYq12qGilQHhfba+4loEflC
QJMTFcNt4wfeHG/YXrZ3Fcg/BUXoMa5sL36SgT3oS0+a4D5qtFy0vJFYDT067ZJU
jEenRQbT8EOaGid6rDYRA6HD5RVNKt+KhN2uke0/cb1ClsKOn5k9k47zHAr1IETn
V/cw34pjS/as7Nei5sYqpCnXM3nGSVTIZ12zQWOZPNsZhQzsZA8W62Hl+QpfeB3b
izXA9i/meZ/SNjO8Sx2fb1cmSNkyCeJ4YH9wXyyZ3bRTTcyG4yk3wZklOE/+/fsv
OxUfHuTVBs9lVUreb2tz8vz9pqUejjoHogOtgPZroR4kDrN+vRbAhqjsi1rsncKs
nixjgjNZ4ru6BMYlBLUWAFYa3W2PntAEkdAIx6afLM56NDZTOAhPjRWgj5Lvjamy
6uX5gLhA6ofMZBqkC6w1sGOIFr3bdchDtj49eAWsqqBFlCeXsn7vourT5t4/3E2x
W373BWQhRoyZ3XeX3T3my4kOik08Tk/WMBD6y5wmA8Q7B7vB2fEsfSeVHhNwIpe5
4hjblAZ3DRzqzpKKiR9l40YJJNDCWhHPqk5ULgV471SbILYlUTOMOisSaXjOxAUa
7pW7oJtUksEKh27x1lyih1vnbDyBSro5OWz1USvUTb5J9Z9kXa0=
=cRTP
-----END PGP SIGNATURE-----