-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-24_07.dhclient Security Advisory pfSense Topic: Potential information disclosure due to misrouted DHCP server responses. Category: pfSense Base System Module: dhclient Announced: 2024-11-13 Credits: Vasileios Kaltsidis (BNET) Affects: pfSense Plus software versions <= 24.03 pfSense CE software versions <= 2.7.2 Corrected: 2024-09-23 18:08:33 UTC (pfSense Plus master, 24.11) 2024-09-23 18:08:33 UTC (pfSense CE master, 2.8.0) 0. Revision History v1.0 2024-11-13 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description pfSense Plus and pfSense CE software includes a DHCP client (dhclient) so that interfaces can obtain an address dynamically from an upstream source, such as an ISP. A potential information disclosure vulnerability was identified in the DHCP client due to the way DHCP acknowledgment (ACK) responses from the server are handled by the operating system. The DHCP discovery and address assignment process involves address and port changes which make it necessary to use very lenient firewall rules to pass DHCP traffic appropriately. The dhclient software processes a DHCP ACK packet sent by a DHCP server, but at the time that ACK packet arrives, the destination address is not yet configured on an interface on the device. Since the destination address is not on an interface, the operating system does not know the packet is local to the device, so the operating system routes the packet according to the route table. As the DHCP firewall rules must be very lenient for DHCP clients to operate, these packets still match the outgoing DHCP rules and are passed by the firewall. On devices with a DHCP client configured on an interface that is not the default gateway, this can result in a DHCP ACK packet from the DHCP server on that non-default interface being routed out the interface containing the default route. The ACK packet still has a source address of the DHCP server and destination address of what should be the newly assigned client address. This problem is present on pfSense Plus version 24.03, pfSense CE version 2.7.2, and earlier versions of both. III. Impact Since the DHCP ACK packet contains address information from a different interface, but is sent out the interface with the default gateway, the gateway on the default interface receives information about addresses on the other interface, thus there is a disclosure of information that default gateway should not have. IV. Workaround Do not use a DHCP client on any interface other than the default gateway interface. V. Solution The default internal DHCP firewall rules have been rewritten to prevent these DHCP packets from being mishandled by dhclient and the operating system, but these rules are internal and cannot be managed from the GUI manually. Users can upgrade to pfSense Plus software version 24.11 or later, or pfSense CE software versions after 2.7.2 when available. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 24.03 and pfSense CE version 2.7.2 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on earlier versions, or by manually making similar changes to the affected files if the patches do not apply directly. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master a039ec6ad853ef1673cc986127542a51d884f5a0 pfSense/master a039ec6ad853ef1673cc986127542a51d884f5a0 - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmc1DYMACgkQE7mH/ZIU +NolPxAAniL3fEAQipnL0K7AfpAIFrE3/KNCOMOsY+M+5Zo4itYK4vuLCU+VLKem DU44h8MyVneDnI6PI1TzXsFs63m2yNEaJJ8YLbxihzhdllolUEsFS4HFFH0ochK9 7amfATdnmrYiYK5rLc8pervpMWjtosknviQMHeTrGdmw/K8iUppm1WVxUjiyS8oE QRqTSD4EJ7eO0MZEMyB0vVf9br+nGMFIHoGsozLm9JVCIdJAH2Zwlqd9IdQVU5dP 93muP5JPwmD4E5qxl4x5Mh482cp9d8rYx9Yshw+YvC+oy1xAuPnohznjhTQQNwlO WYbkKu9opJAODCxd1xHezP17cCvROXEc2FK3r8p6xEh5MDDvIP7jRv86/zj/ssfr wiPMel+C8PD0+5aki4/QWSY6/XFf5U6P6CursTbbzj8IlcInPfxC7dBZc33vtnEr J3eGwtEZXMPHmJVbayezQWWn98g8V1JzjTXNQV5/VpW9Va2ddvnvpuR6EqYZObRY C3Lk7UEMSY4+JUIgiIY3sNOjjwDESm0JpFP/NKMDcLtCP5rAFEk6GApacM+fRjT0 nQBwvHux2AFy4bWZ0TCE7l41bedmgQLYCX33G5VnxZnmhU0sFC6IYGX4STiSOeFN k5H1FZK1/DDCYEX0JQ0ayxKbHZXm/HV7vVK6C5ygKsmEz2dZ8Js= =/YSX -----END PGP SIGNATURE-----