-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
pfSense-SA-24_01.webgui                                     Security Advisory
                                                                      pfSense

Topic:          Local File Inclusion Vulnerability in the pfSense WebGUI

Category:       pfSense Base System
Module:         webgui
Announced:      2024-04-22
Credits:        PWNLAB
Affects:        pfSense Plus software versions <= 23.09.1
                pfSense CE software versions <= 2.7.2
Corrected:      2024-01-03 19:31:40 UTC (pfSense Plus master, 24.03)
                2024-01-03 19:25:53 UTC (pfSense CE master, 2.8.0)

0.   Revision History

v1.0  2024-04-22 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

pfSense® Plus is the productized version of pfSense software from Netgate®,
previously referred to as pfSense Factory Edition (FE). It is available to
Netgate appliance and CSP customers.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A potential Local File Include (LFI) vulnerability was discovered in the DNS
Resolver Python Module Script include mechanism.

When the DNS Resolver Python Module function is enabled and a Python Module
Script is present, the system also looks for a PHP file to include for
additional related functions. The filename for this code starts with the same
name as the Python script and ends with "_include.inc".

Though the Python script is tested/validated by Unbound to ensure it is viable,
the PHP include is handled separately.

This problem is present on pfSense Plus version 23.09.1, pfSense CE version
2.7.2, and earlier versions of both.

III. Impact

A user with sufficient access to the DNS resolver and an ability to write
arbitrary files on the firewall could run arbitrary PHP code included during
Python script initialization/testing due to lack of path traversal protection
and validation of the Python script name.

To take advantage of this, the user must be logged in, must be able to write
files with a specific name on the firewall filesystem, and must have access to
the DNS Resolver settings.

IV.  Workaround

To help mitigate the problem on older releases, use one or more of the
following:

* Limit access to the affected pages to trusted administrators only.

V.   Solution

Users can upgrade to pfSense Plus software version 24.03 or later, or pfSense CE
software versions after 2.7.2 when available. This upgrade may be performed in
the web interface or from the console.

  See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html

Users on pfSense Plus version 23.09.1 and pfSense CE version 2.7.2 may apply the
fix from the recommended patches list in the System Patches package.

Users may also manually apply the relevant revisions below using the System
Patches package on earlier versions, or by manually making similar changes to
the affected files if the patches do not apply directly.

  See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

VI.  Correction details

The following list contains the correction revision commit ID for each affected
item.

Branch/path                                                        Revision
- - -------------------------------------------------------------------------
plus/plus-master                   12cbb18a93c1f78e05806b6d3c90511e8967f43f
pfSense/master                     12cbb18a93c1f78e05806b6d3c90511e8967f43f
- - -------------------------------------------------------------------------

VII. References

<URL:https://redmine.pfsense.org/issues/15135>
<URL:https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html>
<URL:https://docs.netgate.com/pfsense/en/latest/development/system-patches.html>

The latest revision of this advisory is available at
<URL:https://docs.netgate.com/downloads/pfSense-SA-24_01.webgui.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmYivEsACgkQE7mH/ZIU
+NrCwA//YGZYeYV2Yc8aOF6ueuVFmW0s+sjOVdgW5qoF4+TyAH+9gMkPnRAaX/Zq
WrBn5Lwi8wIXHXMiBAA7yV6RwiGTEJJl1XM5+0JhmoWxli82L+1PCaw5fzJpwRKc
w5IrnpV8rhvGQxXYKazuIXbivxdyqpFC3fh1WHhK2CdDZLwD3IIu/mwVWtOHXi49
omMztNSo3N5yhNaZEJOZv6kgHpaB1DKnp19xGiVkF7POVhxr0RlGcNPitjnuqAw5
9dAqlR70D5Z9SJvgEIQswQeDcPNcLVG2oXnErCeXRBsL47hY/LIiFOIT26/OgsQ+
Ex2Cn+sxaHsMocvNLUWpyQUyHLM9uhigIT2g3gjWZkE66faFZPYdgC6derRH+hB4
km/tJl02nqvl6bQtB4l8FEVzp72lkDlaLdAxx0vc/9XHKQZWRpyn9ggHEPe+B7KH
SCVrFCVqX/CfIzxjT4gZizVsE1UYt+B/HWIStuo9LDh6tuEgU9iFaMCf9NfHQ232
Yi/cjykLHjN7rnC96absU6vrqsOusudLkxoOAWRM1nK+4+jJYAwZPkyAZ8mCdeud
SNmUfkb2kpaTkAc4fPKjEHW4PkNVivKQKr13VcMcCspzMoo4JGo0c7lDYtfbgY7+
q2/GezcXk9sz10tjRol7s2NDA3QmYUdsqIuYmX7c3peGMYpwd4g=
=N+3l
-----END PGP SIGNATURE-----