-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-24_02.webgui Security Advisory pfSense Topic: Stored XSS vulnerability in the WebGUI Category: pfSense Base System Module: webgui Announced: 2024-04-22 Credits: Joint researchers (brwook, x-R@SE-Lab@ETRI, PWNLAB@KHU) Affects: pfSense Plus software versions <= 23.09.1 pfSense CE software versions <= 2.7.2 Corrected: 2024-02-01 17:21:39 UTC (pfSense Plus master, 24.03) 2024-02-01 16:12:51 UTC (pfSense CE master, 2.8.0) 0. Revision History v1.0 2024-04-22 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A potential stored Cross-Site Scripting (XSS) vulnerability was found in services_acb_settings.php, a component of the Auto Config Backup feature in the pfSense Plus and pfSense CE software GUI. The page does not validate or sanitize the value of the "frequency" parameter, which is stored in config.xml and may be printed without encoding inside a block of JavaScript code. This problem is present on pfSense Plus version 23.09.1, pfSense CE version 2.7.2, and earlier versions of both. III. Impact Due to the lack of proper encoding on the affected parameters susceptible to XSS, arbitrary JavaScript could be executed in the user's browser. Because the value is stored, the attacker could also trick another administrator into visiting the compromised page. The target user's session cookie or other information from the session may be compromised. The user must be logged in, have sufficient privileges to access services_acb_settings.php, and have privileges to make changes to the configuration. Users with access to Auto Config Backup and its settings effectively have full administrator access, making this a moot point in nearly all cases. However, it is theoretically possible that a user might only be granted access to the settings tab and not the tabs which manage configuration files. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: * Limit access to the affected pages to trusted administrators only. * Do not grant users write access to the configuration unnecessarily. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to pfSense Plus software version 24.03 or later, or pfSense CE software versions after 2.7.2 when available. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 23.09.1 and pfSense CE version 2.7.2 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on earlier versions, or by manually making similar changes to the affected files if the patches do not apply directly. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master 6f59a7f9fdfe3703667819fcbbd8b6f8cbec0d9f pfSense/master 6f59a7f9fdfe3703667819fcbbd8b6f8cbec0d9f - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmYivE8ACgkQE7mH/ZIU +NpnZxAAsQ09wSRp/9rPh3zRr8GROvJCxHs5kf+UR7DEV6VNhvlB9QWBQuT4cR7l kDiujZFZQz+Y0eD0koDsSl/omean7cfPGz7Oz1hS27KNO2LGR1F7+RXcWzTfqa7j +0E0j3tWO7gTyEv5P1lHjtuMW7FmuJ+JKzMnvR1odFkNbrh1d7ZB5QRMlQQKuPD2 txVoTL8MRHEIfd8u+IrjDRp7A66MVot/aaWEY/offGRyttWPCix4OcTVL1N2/di1 7jj5sYFKmbK7I/KmUKaSS9OEBYRLJAvov/Pbhu299KVIcFfFMsXNhkZGGY0kjlYn ZTG/jJ7GPQ8Yw+w+fmvVNy2A2+1maHmnvvSjihwLZjIalrdNmlgw+WYe7n2SrQIU OJU9FmnFfkPVmwpTiKUK3QdmMm7DWd7GBazZjSCx/9C1c32aPtwFCxJz1sE4+W2t +o+ERGPzgxWUkqBhlzp7jBmLT8U2yVArJ9aOWIjU0maVpoDQpQu1ZEtGMmF0Lqan Sxapj27wig+0BhFK+UgUQIoT/dRTCLvykHk0dxSJYGj9eBiFona5bsA3IEL1fXKd ltgNO9vkzSh5qAzukTE679Wrmkf10ykf+dBy/xApZjyB8HD2wfulkuAS09Qm8rU8 X1MNhmr3lxNMlflzv87Yo5Y5m4H4fx0UKaKH/bAn/h2uR4xX52A= =pgop -----END PGP SIGNATURE-----