========================================================================= Arcus Security Advisory ========================================================================= Product: pfSense [1] Vendor: - CVE ID: CVE-2014-6306 Subject: Multiple Cross-Site Scripting (XSS) Vulnerabilities [2] Risk: High Author: Stefan Horlacher, Arcus Security GmbH Date: 2014-09-12 ========================================================================= Description: ------------- pfSense is a free firewall distribution based on FreeBSD and additional third-party software. The pfSense WebGUI prior version 2.1.5 contains the following persistent XSS vulnerabilities: - firewall_aliases_edit.php - firewall_virtual_ip_edit.php -> services_ntpd.php + others A user with restricted privileges may store script code at the above locations. Once another user visits such a page the script code runs in that user's browser in the context of the pfSense installation. This may be abused to increase privileges on the system or directly hijack the other user's session. A successful attack may have a negative impact on the confidentiality, integrity and availability of the pfSense installation, its stored data and data traversing the device. Vulnerable: ----------- pfSense <= 2.1.4 Workaround / Fix: ----------------- Upgrade to version 2.1.5 or later Timeline: --------- 2014-08-02: Vendor notification 2014-08-06: Issues fixed (Source Code: master, RELENG_2_1) 2014-08-08: Confirmed issues 2014-08-29: Version 2.1.5 (Binary) released 2014-09-09: CVE-ID requested 2014-09-12: Arcus Security GmbH Advisory released Resources: ---------- pfSense Security Advisory: https://pfsense.org/security/advisories/pfSense-SA-14_16.webgui.asc pfSense 2.1.5 Release Notes: https://doc.pfsense.org/index.php/2.1.5_New_Features_and_Changes References: ----------- [1] pfsense.org [2] https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) ========================================================================= Arcus Security GmbH Sihlquai 253 Postfach 8031 Zürich Tel.: +41 (0)44 271 44 00 Mail: info at arcus-security dot ch www.arcus-security.ch =========================================================================