========================================================================= Arcus Security Advisory ========================================================================= Product: pfSense [1] Vendor: - CVE ID: CVE-2014-6307 Subject: Multiple Cross-Site Request Forgery (CSRF) Bypass Vulnerabilities [2] Risk: Medium Author: Stefan Horlacher, Arcus Security GmbH Date: 2014-09-12 ========================================================================= Description: ------------- pfSense is a free firewall distribution based on FreeBSD and additional third-party software. The pfSense WebGUI prior version 2.1.5 contains two CSRF bypasses. The following pages are vulnerable: - diag_dns.php - diag_confbak.php In the case of the diag_dns issue, an attacker might be able to trigger arbitrary DNS requests by crafting a malicious URL. As soon as a logged in user visits the prepared URL the vulnerability will be triggered. In addition, the diag_dns functionality was vulnerable to a OS command injection vulnerability [3] (CVE-2014-4688) [4] prior version 2.1.4. Therefore it was possible to create an URL, which would have run arbitrary OS commands once the logged in user opened the URL in the same browser as the valid pfSense session is running. The diag_confbak is sent as an HTTP GET request and therefore no CSRF verification is performed on the server. The affected functionality allows to restore or delete old configurations. A user, which is following an attacker supplied link may trigger that vulnerability. Vulnerable: ----------- pfSense <= 2.1.4 Workaround / Fix: ----------------- Upgrade to version 2.1.5 or later Timeline: --------- 2014-08-02: Vendor notification 2014-08-06: Issues fixed (Source Code: master, RELENG_2_1) 2014-08-08: Confirmed issues 2014-08-29: Version 2.1.5 (Binary) released 2014-09-09: CVE-ID requested 2014-09-12: Arcus Security GmbH Advisory released Resources: ---------- pfSense Security Advisory: https://pfsense.org/security/advisories/pfSense-SA-14_17.webgui.asc pfSense 2.1.5 Release Notes: https://doc.pfsense.org/index.php/2.1.5_New_Features_and_Changes References: ----------- [1] pfsense.org [2] https://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF) [3] https://pfsense.org/security/advisories/pfSense-SA-14_10.webgui.asc [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4688 ========================================================================= Arcus Security GmbH Sihlquai 253 Postfach 8031 Zürich Tel.: +41 (0)44 271 44 00 Mail: info at arcus-security dot ch www.arcus-security.ch =========================================================================