========================================================================= Arcus Security Advisory ========================================================================= Product: pfSense [1] Vendor: - CVE ID: CVE-2014-6305 Subject: Multiple OS Command Injection Vulnerabilities [2] Risk: High Author: Stefan Horlacher, Arcus Security GmbH Date: 2014-09-12 ========================================================================= Description: ------------- pfSense is a free firewall distribution based on FreeBSD and additional third-party software. The pfSense WebGUI prior version 2.1.5 contains two OS command injection vulnerabilities. The vulnerable pages are: - diag_testport.php - services_dnsmasq.php A restricted user with access to the above pages may abuse these vulnerabilities to run arbitrary OS commands on the pfSense installation. This may be leveraged to increase the user's privileges, access arbitrary files and further alterations. Confidentiality, integrity and availability of the pfSense installation, its stored data and data traversing the device is therefore not guaranteed. Vulnerable: ----------- pfSense <= 2.1.4 Workaround / Fix: ----------------- Upgrade to version 2.1.5 or later Timeline: --------- 2014-08-02: Vendor notification 2014-08-06: Issues fixed (Source Code: master, RELENG_2_1) 2014-08-08: Confirmed issues 2014-08-29: Version 2.1.5 (Binary) released 2014-09-09: CVE-ID requested 2014-09-12: Arcus Security GmbH Advisory released Resources: ---------- pfSense Security Advisory: https://pfsense.org/security/advisories/pfSense-SA-14_15.webgui.asc pfSense 2.1.5 Release Notes: https://doc.pfsense.org/index.php/2.1.5_New_Features_and_Changes References: ----------- [1] pfsense.org [2] https://www.owasp.org/index.php/Command_Injection ========================================================================= Arcus Security GmbH Sihlquai 253 Postfach 8031 Zürich Tel.: +41 (0)44 271 44 00 Mail: info at arcus-security dot ch www.arcus-security.ch =========================================================================