CVE-2023-42326

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-23_10.webgui Security Advisory pfSense Topic: Authenticated Command Execution in the WebGUI Category: pfSense Base System Module: webgui Announced: 2023-10-31 Credits: Oskar Zeino-Mahmalat (Sonar) CVE ID: CVE-2023-42326 Affects: pfSense Plus software versions <= 23.05.1 pfSense CE software versions <= 2.7.0 Corrected: 2023-07-05 19:31:30 UTC (pfSense Plus master, 23.09) 2023-07-05 19:31:30 UTC (pfSense CE master, 2.8.0) 0. Revision History v1.0 2023-10-31 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A potential authenticated arbitrary command execution vulnerability was found in interfaces_gif_edit.php and interfaces_gre_edit.php, components of the pfSense Plus and pfSense CE software GUI. When creating or editing a GIF interface on interfaces_gif_edit.php or a GRE interface on interfaces_gre_edit.php, the submitted POST “gifif” or “greif” value is not validated. Subsequently, the value is passed to another function where the submitted value is used in shell commands. This problem is present on pfSense Plus version 23.05.1, pfSense CE version 2.7.0, and earlier versions of both. III. Impact Due to a lack of escaping on commands in the functions being called, it is possible to execute arbitrary commands with a properly formatted submission value for “gifif” or “greif” in POST operations. The user must be logged in and have sufficient privileges to access either interfaces_gif_edit.php or interfaces_gre_edit.php. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: * Limit access to the affected pages to trusted administrators only. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to pfSense Plus software version 23.09 or later, or a pfSense CE software version after 2.7.0, when one is available. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 23.05.1 and pfSense CE version 2.7.0 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on earlier versions, or by manually making similar changes to the affected files if the patches do not apply directly. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master d69d6c8424ab4299234fb5ec6964682e2e6cbcdd pfSense/master d69d6c8424ab4299234fb5ec6964682e2e6cbcdd - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmU/wRgACgkQE7mH/ZIU +NpQWQ/+N55UGKjB+ZFEtXRV/d9Pl66TII2D28U8+v4iGNlcmo6jTC2mofYaQ77C dybvlyXM86lH1dDnzzv6uuEIjtSWyN0aM37ndfGDR7CxB5sgUXLkl+jeIdqZXqA2 IJgAdw59GCkeGttw9bCoIs7ZADlpx5/n37LMztxMHfgmw4KknEiBy1PF1YDIh4iD mwhqQLqDlhzcWOcqEAtECgpSoaIYd5Yd3/pNPtIsYhDg4QxSOCT6KGQuU/msTVru OmUE+qbjaFKu7oUKNdYtdpC4jgZ44SJLLNikLLyoxpcb/IqBOjqIDCXfq1Du8gJG 5QROPevZOfXbgFSKHF3zJlqcCFAVt4iAuazXFWjyHksU9jjMfxYvRvRxqqAJCXsF W3z3ib+sSjlooNSN/KOdQNQvmBlN1epWfhHWgNnoQQBS5S75nyomgbu/7Gbo+GWY y66zYDS1LtBKC+OjnypiUaI46IhqV3474dhPn13E5GqoeQxaT+YI5Zan8EZEVqkT 3TDTdjMfha9zXv/pEEHaoE9vZ+GDwtsNFxQN0CPTdAsyLpkpiKfjfBz1Vxo8UJyr t+iRNSg8VIe8n0jkd8ekb8GVbgY4WVeyVyz+qlGKPKmXdlVTt17vsMJu9jB/gmeU tl4ZZCrR5UVujekUqg0x1//UcdjTUkF7RMDU92k0whQftWOmaCA= =5TPU -----END PGP SIGNATURE-----