-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
pfSense-SA-24_06.sshguard                                   Security Advisory
                                                                      pfSense

Topic:          Anti-brute force protection bypass

Category:       pfSense Base System
Module:         sshguard
Announced:      2024-11-13
Credits:        Netgate
Affects:        pfSense Plus software version 24.03 installed or upgraded before
                August 22, 2024.
Corrected:      2024-08-19 19:12:52 UTC (pfSense Plus Ports plus-devel, 24.11)
                2024-08-21 16:26:16 UTC (pfSense Plus Ports plus-RELENG_24_03, 24.03)
                2024-08-19 19:12:52 UTC (pfSense CE Ports devel, 2.8.0)

0.   Revision History

v1.0  2024-11-13 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

pfSense® Plus is the productized version of pfSense software from Netgate®,
previously referred to as pfSense Factory Edition (FE). It is available to
Netgate appliance and CSP customers.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

The sshguard daemon monitors log files for failed authentication attempts and
blocks sources of repeated failures in the firewall. The log parsing string that
matches failed WebGUI login attempts was missing from the sshguard build that
initially shipped with pfSense Plus software version 24.03.

III. Impact

Login protection managed by sshguard, such as preventing brute force attempts,
was not able to detect failed WebGUI login attempts. SSH brute force attempts
were still detected and blocked appropriately. This may allow an attacker to
continue WebGUI login attempts indefinitely.

The problematic build was never present in any release of pfSense CE software.

IV.  Workaround

To help mitigate the problem on older releases, use one or more of the
following:

* Do not expose the WebGUI service to untrusted networks.
* Use strong authentication credentials
* Do not use the default accounts for management

V.   Solution

A new build of sshguard, sshguard-2.4.3_2,1, was made available to users of
pfSense Plus software version 24.03 through the package repository. This new
build has been available since August 22, 2024. Users who upgraded to pfSense
Plus software version 24.03 after that date automatically obtained the corrected
version during the upgrade. Likewise any user who installed pfSense Plus
software version 24.03 using the Netgate Installer after that date automatically
obtained the corrected version during the installation.

Users who upgraded or installed pfSense Plus software version 24.03 before that
date can update the package manually from a shell prompt:

  # pkg update
  # pkg upgrade -fy sshguard

Alternately, upgrade to pfSense Plus software version 24.11 or later. This
upgrade may be performed in the web interface or from the console.

  See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html

VI.  Correction details

The following list contains the correction revision commit ID for each
affected item.

Branch/path                                                        Revision
- - -------------------------------------------------------------------------
plus-ports/plus-devel              ac62d9de36ab2ef3910d9ae50beee3ad1bcefd14
plus-ports/plus-RELENG_24_03       ce23092df564c1b94ca43a9ec4fe4f3c17cbdc3b
FreeBSD-ports/devel                ac62d9de36ab2ef3910d9ae50beee3ad1bcefd14
- - -------------------------------------------------------------------------

VII. References

<URL:https://redmine.pfsense.org/issues/15687>
<URL:https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html>
<URL:https://docs.netgate.com/pfsense/en/latest/development/system-patches.html>

The latest revision of this advisory is available at
<URL:https://docs.netgate.com/downloads/pfSense-SA-24_06.sshguard.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmc2AD4ACgkQE7mH/ZIU
+NoTDA//ZlaaifFBsu2Q0ciw3OUxCtN9QIATs98W+QKmNeD2QJklIYJ+VplbPoa9
PG9dLaOwn8j8lF0aR/RqrKofD9pJ96+FjU2v3fiHlRPeeJQ8BP70POhXYDggJvsY
q/c4YRWfFyJmdE+hdfnLQZlehtxS9wTt0hyVorgAMfJWurYRkw0/F/tm8EPgyNFb
E8f2RGQTLXfKvvzz74vGi+3ig/E3zmKXxjAlvDWvGBLT+Zy8e9kv2uT8BtDgfPyb
5ojSB955FNaiFOdx/ymzj0jC1ljxCwS+K5VacjgJb0ztK7O32Z1uSbq7ENVlhE8K
BorUXZkBVkE2gtH2KdewfVKEpGSAe+gU5gF540pa1AvsHlD7CgdZ6ZsiA8LzecTT
nYPNYhzIShlIU/NNftrNIOiFmx8oK8/5Paa+gE/T9rSuSlVKoD/IDhF9XA/nQTnV
AfSTJypZUp0PiU7ntn/sgMKx85+Fe8Ec6tYX9dW/a7/noJC3+bSqNS1zDgiyrmfr
2LbwhUuH83kf1EILUc0+HsErt+K5GvjqBF+KV5UywoUcp+ujtSYFmY5tCR9EW+au
oaksJeT7ZYgdYWOjUrKRkYjiCF1Eq9SCsHWtk+RgLyl8IuxXKhVp+QjVM25akfBr
SS9/V+ivgqsT4rHkuMZeVrQ1YV0kVSP0I2xPcSPdbyAeRFwaz4k=
=hjPQ
-----END PGP SIGNATURE-----