-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
=============================================================================
pfSense-SA-25_01.webgui Security Advisory
pfSense
Topic: Multiple problems in Dashboard widget key handling
Category: pfSense Base System
Module: webgui
Announced: 2025-05-16
Credits: Github user NavyTitanium
CVE ID: CVE-2024-54779
Affects: pfSense Plus software versions < 25.03
pfSense CE software versions < 2.8.0
Corrected: 2024-12-03 14:39:04 UTC (pfSense Plus master, 25.03)
2024-12-03 14:39:04 UTC (pfSense CE master, 2.8.0)
0. Revision History
v1.0 2025-05-16 Initial SA draft
I. Background
pfSense® software is a free network firewall distribution based on the
FreeBSD operating system. The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.
pfSense® Plus is the productized version of pfSense software from Netgate®,
previously referred to as pfSense Factory Edition (FE). It is available to
Netgate appliance and CSP customers.
The majority of users of pfSense software have never installed or used a stock
FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge. The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.
II. Problem Description
Multiple problems can stem from a lack of validation on Dashboard widget keys.
Many dashboard widgets allow multiple instances and use a "widgetkey" parameter
to distinguish between these instances. The widget keys should be in the form of
"<widget internal name>-<instance id>". However, the dashboard did not validate
this format when accepting input from clients.
This problem is present on pfSense Plus version 24.11, pfSense CE version 2.7.2,
and earlier versions of both.
III. Impact
Malicious clients could populate the "widgetkey" parameter with bad data, which
could result in a corrupted configuration and it could potentially be a
Cross-Site Scripting (XSS) vector.
If a client submits a "widgetkey" value containing XML, it could result in the
configuration becoming unreadable, which breaks access to the GUI and can also
prevent the system from booting.
Due to the lack of encoding on some values assumed to be safe in the
configuration, a corrupted configuration could also lead to certain widgets
being susceptible to XSS. There is still a small potential that arbitrary
JavaScript could be executed in the user's browser. The user's session cookie or
other information from the session may be compromised.
IV. Workaround
To help mitigate the problem on older releases, use one or more of the
following:
* Limit access to the affected pages to trusted administrators only.
* Do not grant users write access to the configuration unnecessarily.
* Do not log into the firewall with the same browser used for non-
administrative web browsing.
V. Solution
Users can upgrade to pfSense Plus software version 25.03 or later, or pfSense CE
software versions after 2.8.0 when available. This upgrade may be performed in
the web interface or from the console.
See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html
Users on pfSense Plus version 24.11 and pfSense CE version 2.7.2 may apply the
fix from the recommended patches list in the System Patches package.
Users may also manually apply the relevant revisions below using the System
Patches package on earlier versions, or by manually making similar changes to
the affected files if the patches do not apply directly.
See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html
VI. Correction details
The following list contains the correction revision commit ID for each affected
item.
Branch/path Revision
- - -------------------------------------------------------------------------
plus/plus-master 04b74da157709a89b7b032a91d72f7697d17f7fc
6b42147b1c52b559e833e0edcbfbdffbb410b809
ff50e62fb744c3e02b1c51b15140d686754e9602
pfSense/master 04b74da157709a89b7b032a91d72f7697d17f7fc
6b42147b1c52b559e833e0edcbfbdffbb410b809
ff50e62fb744c3e02b1c51b15140d686754e9602
- - -------------------------------------------------------------------------
VII. References
<URL:https://redmine.pfsense.org/issues/15844>
<URL:https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html>
<URL:https://docs.netgate.com/pfsense/en/latest/development/system-patches.html>
The latest revision of this advisory is available at
<URL:https://docs.netgate.com/downloads/pfSense-SA-25_01.webgui.asc>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmgnYykACgkQE7mH/ZIU
+NoS3Q//ZyjH0Asw0gxRKfLzhtLj3Uns9Mj+9tKwog5GMNgSh5SrSGo6GWePoxzH
boLIVJh79Gjp9gxH/NZqSP74HIzIpQggre2kw65L/yy/WB66qzy4jByCj2KzztEZ
CE4A7QNTIIBO26YPZWLKR9/cPDzDdYikzwZhNkNwUiu5tW+KdF9dSG+bVTmey8bm
TK5adH+l66NEbQUdgUXgxp6Br+pxQ5aUlmhGdGm/vacuE/qKiT3ZcFeDw1MDJwfp
iSNuW5UEjZY7UZhZyn2a80c+JmA09ZRl/q8iP7+dxVu8mYoguSE6kSu/1Qq2uYFT
0ldibQUEeyqnZtqC+My6xq07y3BHbmkOhwDmvrSFMYANoPpiijoRvEtAVM4cGlO7
heh/bFDXP3PSk4PbUFgGHwDd+RAXrWeeePI4XA4mAaw+dGB6gCetn04lOIQXAOlc
Nx89WrhC7oV5hyFIYCmy32QBSmN26yOAcTBMTgCWoDe+4mjcTWEx5eK7x6yKDFuL
9qgC6KZWeojQrvmbhdfLEiqEyQrE2N4oOPYeaPsHU2u4V5UkVel5W7qvpMJ7cra9
wuED+5hH4u70WS3H6RK7MKQJ8XQRiJSGPBSgM3OG8AfXzq8pEXBVIuTShlGvqL+l
LaGh778BWALcj9zgm27/LcZy5TWKNjoRZgqfLcODuNxz6trkYe0=
=crsG
-----END PGP SIGNATURE-----