-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
pfSense-SA-25_09.sshguard                                   Security Advisory
                                                                      pfSense

Topic:          Anti-brute force protection bypass and potential denial of
                service

Category:       pfSense Base System
Modules:        sshguard webgui
Announced:      2025-12-11
Credits:        Meghnine Islem at Cybears (Log maniupulation issue)
                Internal (Bypass, DoS)
Affects:        pfSense Plus software versions < 25.11
                pfSense CE software versions <= 2.8.1
Corrected:      2025-11-10 20:22:38 UTC (pfSense Plus Ports plus-devel, 26.03)
                2025-11-10 20:22:38 UTC (pfSense Plus Ports plus-RELENG_25_11, 25.11)
                2025-11-10 20:22:38 UTC (pfSense CE Ports devel, 2.9.0)
                2025-11-11 17:04:07 UTC (pfSense Plus master, 26.03)
                2025-11-11 17:41:44 UTC (pfSense Plus plus-RELENG_25_11, 25.11)
                2025-11-11 17:04:07 UTC (pfSense CE master, 2.9.0)


0.   Revision History

v1.0  2025-12-11 Initial SA draft

I.   Background

pfSense® software is a free network firewall distribution based on the
FreeBSD operating system.  The pfSense software distribution includes third-
party free software packages for additional functionality, and provides most of
the functionality of common commercial firewalls.

pfSense® Plus is the productized version of pfSense software from Netgate®,
previously referred to as pfSense Factory Edition (FE). It is available to
Netgate appliance and CSP customers.

The majority of users of pfSense software have never installed or used a stock
FreeBSD system.  Unlike similar GNU/Linux-based firewall distributions, there
is no need for any UNIX knowledge.  The command line is never used, and there
is no need to ever manually edit any rule sets. Instead, pfSense software
includes a web interface for the configuration of all included components.
Users familiar with commercial firewalls will quickly understand the web
interface, while those unfamiliar with commercial-grade firewalls may encounter
a short learning curve.

II.  Problem Description

The sshguard daemon monitors log files for failed authentication attempts and
blocks sources of repeated failures in the firewall.

The log parsing string in sshguard that matches failed WebGUI login attempts
matches based on a WORD pattern, which is: [a-zA-Z0-9][-_a-zA-Z0-9]+
This pattern does not match some valid username characters including '.'.

Additionally, when the GUI logs an authentication error it prints the username
in the log message exactly as sent by the client, including control characters
such as carriage return and line feed (newline).

III. Impact

Login protection managed by sshguard, such as preventing brute force attempts,
is not able to detect failed WebGUI login attempts for usernames which include
characters not matched by the WORD pattern in sshguard. As a consequence,
attackers can repeatedly fail authentication for such usernames without being
blocked by sshguard. If those usernames are valid but not matched by the WORD
pattern, such as user.name, an attacker can repeatedly attempt authentication
without being blocked.

Additionally, if an attacker attempts to login by passing a username containing
a newline, for example, the GUI includes the newline in the login failure
message. When that happens, the full log message is split across multiple lines
which appear to be separate log messages to a person reading the logs. There is
no danger to the authentication process from this vulnerability as the affected
usernames are not valid. However, due to this behavior, the attacker can
influence the content of the logs in ways to make the messages confusing or
appear to show events that did not occur. For example, using a specially crafted
username the attacker could trick sshguard into believing an attack is coming
from an arbitrary IP address which it would then temporarily block, leading to a
potential denial of service between the firewall and that IP address.

These issues only affect WebGUI login methods. SSH logins are unaffected.

IV.  Workaround

To help mitigate the problem on older releases, use one or more of the
following:

* Do not expose the WebGUI service to untrusted networks.

V.   Solution

Users can upgrade to pfSense Plus software version 25.11 or later, or pfSense CE
software versions after 2.8.1 when available. This upgrade may be performed in
the web interface or from the console.

  See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html

Users on pfSense Plus version 25.07.1 and pfSense CE version 2.8.1 may apply a
workaround from the recommended patches list in the System Patches package.
Fully addressing the sshguard pattern matching issue requires a new build of
sshguard, but the workaround patch changes the log messages such that older
builds of sshguard can match and block as needed.

Users may also manually apply the relevant revisions below using the System
Patches package on earlier versions, or by manually making similar changes to
the affected files if the patches do not apply directly.

  See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html

VI.  Correction details

The following list contains the correction revision commit ID for each
affected item.

Branch/path                                                        Revision
- - -------------------------------------------------------------------------
plus-ports/plus-devel              fd34c8bf45d67492e58be693826de28d352f1319
plus-ports/plus-RELENG_25_11       638e2d10339aa7a338ad1f3dbfad1eaaddecaab3
FreeBSD-ports/devel                fd34c8bf45d67492e58be693826de28d352f1319
plus/plus-master                   03dc855a9e48a8c808880e2db893e30737003e1a
plus/plus-RELENG_25_11             9ea5d9a378940dbfc684da6369444717f59e39ae
pfSense/master                     03dc855a9e48a8c808880e2db893e30737003e1a
- - -------------------------------------------------------------------------

VII. References

<URL:https://redmine.pfsense.org/issues/16312>
<URL:https://redmine.pfsense.org/issues/16314>
<URL:https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html>
<URL:https://docs.netgate.com/pfsense/en/latest/development/system-patches.html>

The latest revision of this advisory is available at
<URL:https://docs.netgate.com/downloads/pfSense-SA-25_09.sshguard.asc>
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmk7HwMACgkQE7mH/ZIU
+Nq/nA/8D1wrgi9zX3Wm15AVYs7Qw+C/8HA6JDXqp6ZdWUaCK2qTw7p91hEzdVD2
Uuvi4aVuyzFhsfCTH8ObbBws1Ddl3GnNp1GgBkA1RZDi21T41S/AS+OjK/qpABij
gRYP6NGW8ZLdd6ORKi2dtOSsdg7GO3BJgrSzOh9/lSwzEi1ZjOUi0PjCA0e/iapy
cGi6KbR05UKVBFPacQxnNuTcb1WGewToBzD95zaITuazIL5APXbiAOlqBV66WlqH
0WptZYxpNxyb3TappVGjN0UmbsANL85wM18KMPjpoxLZ6H6iJ+h5SKAhMvVk1Nb7
j1Vt1kRk1+UgFwJd+TvntPf83Rtv/mFZkBoYT4zD8quG4erF2VtfyWyeMRTs8Ubo
2wCWLsssOjeyvp7zcPvYpl2He64FKI+wmTX0Tf+qc/avGTDaqYSBLL1vdz8b8uMB
GF+fy22+S0kU9FjTgf/7bBLUTKUpuAV5rM1V1fgbZfbeYu/t7jLb4LhUcaFZyjvr
CxskKx9a8UBelQisyw0uEsKd//zYlwBSp7GX+rDmieq7/X13GYSJYGbPW547ojKm
bj8P/E2uFqgcHQKbnPJQaP4IA/63jJJHxlWe/9ahHkcVbxcieMRDReKUnnTnu8l2
iY6ECDiCwlwH+8zg1lLQU6cPDtWO1kynVgmzEgfWZzWXHhiYNOo=
=3cmw
-----END PGP SIGNATURE-----