-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
pfSense-SA-25_02.webgui                                     Security Advisory
                                                                      pfSense

Topic:          OpenVPN Management Interface Command Injection from OpenVPN
                Status and Dashboard Widget

Category:       pfSense Base System
Module:         webgui
Announced:      2025-05-16
Credits:        Github user NavyTitanium
CVE ID:         CVE-2024-54780
Affects:        pfSense Plus software versions < 25.07
                pfSense CE software versions < 2.8.0
Corrected:      2024-12-02 18:18:35 UTC (pfSense Plus master, 25.07)
                2024-12-02 18:18:35 UTC (pfSense CE master, 2.8.0)

0.   Revision History

v1.1  2025-07-02 Updated pfSense Plus software version numbers
v1.0  2025-05-16 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

pfSense® Plus is the productized version of pfSense software from Netgate®,
previously referred to as pfSense Factory Edition (FE). It is available to
Netgate appliance and CSP customers.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

A potential authenticated OpenVPN management interface command injection was
identified in the OpenVPN status page and the OpenVPN Dashboard widget.

When users perform operations via the OpenVPN status page (/status_openvpn.php)
or the Dashboard widget (/widgets/widgets/openvpn.widget.php), those pages sent
user input from the "remipp" variable to the OpenVPN management socket without
validation.

This problem is present on pfSense Plus version 24.11, pfSense CE version 2.7.2,
and earlier versions of both.

III. Impact

A malicious client with sufficient privileges to access these pages can
manipulate the content of the "remipp" variable to send additional arbitrary
OpenVPN management commands through the management socket.

This is restricted to OpenVPN management interface commands only. It is not
possible to execute shell commands or arbitrary PHP code using this method.

Output from the OpenVPN management commands is not returned to the user, but the
commands can perform actions such as changing the log verboseness or causing the
daemon to exit, resulting in a denial of service. Changes made using these
commands do not persist across restarts of a OpenVPN daemons.

IV.  Workaround

To help mitigate the problem on older releases, use one or more of the
following:

* Limit access to the affected pages to trusted administrators only.
* Use other VPN types (e.g. IPsec, WireGuard)

V.   Solution

Users can upgrade to pfSense Plus software version 24.11 or later, or pfSense CE
software versions after 2.7.2 when available. This upgrade may be performed in
the web interface or from the console.

  See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html

Users on pfSense Plus version 24.03 and pfSense CE version 2.7.2 may apply the
fix from the recommended patches list in the System Patches package.

Users may also manually apply the relevant revisions below using the System
Patches package on earlier versions, or by manually making similar changes to
the affected files if the patches do not apply directly.

  See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

VI.  Correction details

The following list contains the correction revision commit ID for each affected
item.

Branch/path                                                        Revision
- - -------------------------------------------------------------------------
plus/plus-master                   92a55a0ad8976975b320bdff11f0512f59d3a2ab
pfSense/master                     92a55a0ad8976975b320bdff11f0512f59d3a2ab
- - -------------------------------------------------------------------------

VII. References

<URL:https://redmine.pfsense.org/issues/15856>
<URL:https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html>
<URL:https://docs.netgate.com/pfsense/en/latest/development/system-patches.html>

The latest revision of this advisory is available at
<URL:https://docs.netgate.com/downloads/pfSense-SA-25_02.webgui.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmhleAUACgkQE7mH/ZIU
+NpPzw/+PKBPb9uOGwWhcB+irHI7kSAoyy/AH3wtZMJtRPEgNZI2hMTjsHqczbfO
zaEa4LJ2kOEVMlXPdcciEKHq7SuuAyqNyFCDV0Fl06wM6BDxvlKzX4Mf6zifoGd0
JB93YrwvvXEospkQmZluxlW8cBHFim5+z69DiBvtRSsNfn07Iw3Dsl4cqfM3feYe
J4zVm6c6uBo+qwKk6gYBu8gRu2sQQLxX8MxG5bkB5+eE75n5vmz2XEcyt3EPe4CO
YImP7STatYWgP61Fs1cNTILYJhYtcraDjk/wPZd35ly4EEHOEsSkj4IZ+xImfPwZ
8jAO4+uHggD3NYpNwFVatxk8kDKIsuPPlSovbYgvj9Xh7/9DboqlS1R1xfut7pCu
fG2/AhkPTZlr5oYDcilW2wmL+ecKJHVM45qjKAwszSrgVUs7MvpIBvEkAG0oGOHF
UZ3sQ9O2UMeVGubEoXMdf2eSrW7b+d5bmpRnLDQ694rW0cr+9FD13JKZWs6MgwhN
vpDlanAbCgVGcbtDUwZ+r0gExVwUXAzJQJiUS67LqxA2D0iA04UvA3ceCEit8mXe
u1FE1Jevp3mtCAwJJIKEjytIsLn5ZWhbvC11e6sswkcRFL0jHrGQxWSkAys7u44w
wizXYamCaYVaPVuL6tQwzjzxZ5s3Rn5jIysecsIO9mF1vxGscxA=
=J6KT
-----END PGP SIGNATURE-----