Headline
CVE-2022-26019
Improper access control vulnerability in pfSense CE and pfSense Plus (pfSense CE software versions prior to 2.6.0 and pfSense Plus software versions prior to 22.01) allows a remote attacker with the privilege to change NTP GPS settings to rewrite existing files on the file system, which may result in arbitrary command execution.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-22_01.webgui Security Advisory pfSense Topic: File overwrite vulnerability in the WebGUI Category: pfSense Base System Module: webgui Announced: 2022-01-12 Credits: Yutaka WATANABE of Ierae Security, Inc. via JPCERT/CC CVE ID: CVE-2022-26019 Affects: pfSense CE software versions < 2.6.0 pfSense Plus software versions < 22.01 Corrected: 2021-08-06 15:40:00 UTC (pfSense CE 2.6.0) 2021-08-06 15:40:30 UTC (pfSense Plus 22.01) 0. Revision History v1.1 2022-03-08 Removed JVN ID, added CVE ID, added missing commit hash, updated solution information. v1.0 2022-01-12 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description An arbitrary file overwrite vulnerability was found in services_ntpd_gps.php, a component of the pfSense CE and pfSense Plus software WebGUI, on pfSense CE version 2.5.2, pfSense Plus version 21.05.2, and earlier versions of both. The gpsport parameter was not validated properly when set in services_ntpd_gps.php or during NTP setup in services.inc. A relative path in the parameter could have been leveraged to overwrite an existing file on the firewall with the contents of the gpsinitcmd configuration parameter. To exploit this, all of the following must be true: * The attacker must have authenticated access to the GUI * The attacker must have sufficient privileges to access services_ntpd_gps.php * The attacker must have sufficient privileges to alter the firewall configuration * “Check baud rate before sending init commands” on services_ntpd_gps.php must be unchecked III. Impact An attacker meeting all of the necessary conditions to exploit the vulnerability could overwrite an existing file on the firewall with arbitrary contents. This method could be used for code execution, privilege escalation, information disclosure, denial of service, or other negative outcomes. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: * Limit access to the affected pages to trusted administrators only. V. Solution Users can upgrade to pfSense CE software version 2.6.0 or later when available, or pfSense Plus software version 22.01 or later. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 21.05.2 or pfSense pfSense CE version 2.5.2 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on pfSense pfSense Plus version 21.05.2 or pfSense CE version 2.5.2 and possibly on earlier versions. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ pfSense/master bf21f67bbe2d1694ad1ad72728623dded9ace426 0d3747aaa90dc3ad7729b68be8c9727d44b743c7 fbf4a07f41f93745850adf5a3b1ea345628693ab plus/plus-master bf21f67bbe2d1694ad1ad72728623dded9ace426 0d3747aaa90dc3ad7729b68be8c9727d44b743c7 fbf4a07f41f93745850adf5a3b1ea345628693ab ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmInWRYACgkQE7mH/ZIU +NrLZhAAibWli7PiTgy23f/ylrye5BDXtvqrNVbwMzChGm432r3k1XyYC0qtFujV HD4dIHDhi0GO8dyZO0caMKpfkOs1q8ntfn12eJn7cUzusgoPNqwP8gfm/jNZEZ1A nnYgVGGp1kfIv/YytHFlRhfQ93odAZ663R5kWWZ9ZzvHBvA4nOS+CApphGRmoQ5K ItjbnfslBrrUpcUPgHQd6rBRiix8OGx5fNbrCv9G0+Vai0Jmw7mtuwan9UZyIwuJ S3cyaz9jsuKiUcnK9oVfyuaWxSbN41fs3GkHdO+GMZk/sUPdLlIdVJmMwvRBhUbe Sr//xUN1eMH8JUzScXttQZk2JScr+dgX1L2bJz2cCIo5ZLzJ4t8MqOhiXoJKxqqW VySmej4a2tQGK3ZZSD+9aFhiJlYr9vSjWlAbAYkkPfoI+83qr/E3z+TPBc4JcPNx wrzAMVdECAt1r3HNNNXwhdYZ+rHyr+SQ/jWeL8i6wRRvltOf/BygDzbTb/mqyR1B Kl4ybMSgUayb0Tb8t7f6QWjqBKHcK8Ummini83Yv2/uEPzH2dtLwla+PZYIVoaqc 6hWHWGv8kDGEIQ64wU0FhArRIPEPMtDZd6coyaKEIVr7rSjbZ7hnkd5JR0PK0n6i 4X6M21wIEkv9jr8Ds5n97cWxXBVrVHIQwCfh8z/ESGg503MSHv0= =WKlk -----END PGP SIGNATURE-----