-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-25_01.webgui Security Advisory pfSense Topic: Multiple problems in Dashboard widget key handling Category: pfSense Base System Module: webgui Announced: 2025-05-16 Credits: Github user NavyTitanium CVE ID: CVE-2024-54779 Affects: pfSense Plus software versions < 25.07 pfSense CE software versions < 2.8.0 Corrected: 2024-12-03 14:39:04 UTC (pfSense Plus master, 25.07) 2024-12-03 14:39:04 UTC (pfSense CE master, 2.8.0) 0. Revision History v1.1 2025-07-02 Updated pfSense Plus software version numbers v1.0 2025-05-16 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description Multiple problems can stem from a lack of validation on Dashboard widget keys. Many dashboard widgets allow multiple instances and use a "widgetkey" parameter to distinguish between these instances. The widget keys should be in the form of "-". However, the dashboard did not validate this format when accepting input from clients. This problem is present on pfSense Plus version 24.11, pfSense CE version 2.7.2, and earlier versions of both. III. Impact Malicious clients could populate the "widgetkey" parameter with bad data, which could result in a corrupted configuration and it could potentially be a Cross-Site Scripting (XSS) vector. If a client submits a "widgetkey" value containing XML, it could result in the configuration becoming unreadable, which breaks access to the GUI and can also prevent the system from booting. Due to the lack of encoding on some values assumed to be safe in the configuration, a corrupted configuration could also lead to certain widgets being susceptible to XSS. There is still a small potential that arbitrary JavaScript could be executed in the user's browser. The user's session cookie or other information from the session may be compromised. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: * Limit access to the affected pages to trusted administrators only. * Do not grant users write access to the configuration unnecessarily. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to pfSense Plus software version 25.07 or later, or pfSense CE software versions after 2.8.0 when available. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 24.11 and pfSense CE version 2.7.2 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on earlier versions, or by manually making similar changes to the affected files if the patches do not apply directly. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master 04b74da157709a89b7b032a91d72f7697d17f7fc 6b42147b1c52b559e833e0edcbfbdffbb410b809 ff50e62fb744c3e02b1c51b15140d686754e9602 pfSense/master 04b74da157709a89b7b032a91d72f7697d17f7fc 6b42147b1c52b559e833e0edcbfbdffbb410b809 ff50e62fb744c3e02b1c51b15140d686754e9602 - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmhleAAACgkQE7mH/ZIU +NoZgxAAr5X9VOzf36Oq3QLr3Fc8RoccIxDfkP9ToaobmfjShp9kIJ3r2Hdkwacx YQ1AwVhbvH5P5ED4+nRBC86yomFdZikM9jINSVCB0sQqd3lIwsZHct8mqk3XqJqY F3VfRw6SS9djSIFWUpEYkHGTpjhkpLJXpdVuIfINmRmqsHwwL0nU78y70Xi2Um7n y6nLjfKkHUGorSqOfKrdRpwYKI+Rn9vsKxHDFnCD9R1oOg4XOXmUv2QrWwAzM9Bx i/Fi++avQL45cKy5WTClJpAAsqxVVZxVuk/ijgZUWgKL3KzMQHlDgqGYNkW/oI0M 5uYQAbZ3GcyQ7EnJVHd/dFEjZYl6rM/+Zi72Mda/uWv9CiDq93daq//OxaMAf8XG dBQDU46tINWk1OWu1GD5C4wmuloyN1/+MNXKdJLFuWWrirIZn9oOYGC9/h6zrdfU Ciee77CUFDbSuKjxNMuHb6/p5KzMAnc5KpJm/Mg6CUHZs/Z+cwzxNYs5R8b9kZjH BenDdQuccoUmKUErDXZcrOisJ8EAMKGV0aJrJ56JJ14tO8F5XZPZu+iVL+KtHU1M 19qiKePRcezAPz+vprCUXPTkU/46bLvCeQqvPAm1OwJ0H3A3msqCesCm1nTISGrH XlUyz6aFl4Uruv2Uh+lcdatgwA96al+pGZXYVGCuygjLvaVEIwA= =NDXx -----END PGP SIGNATURE-----