OPNsense Forum

Administrative => Announcements => Topic started by: franco on April 16, 2016, 10:42:27 am

Title: April 2016 vulnerability reports
Post by: franco on April 16, 2016, 10:42:27 am
Dear users and followers,

This is to inform you of several pfSense-related security advisories that have been made public yesterday that also apply/applied to OPNsense. We did not receive any forward-notice on these and have worked since yesterday to make sure these are/were handled appropriately. All but one have been addressed in 2015 already, with the last one still being active in pfSense despite the communication. We'll fix the service vulnerability in time for 16.1.11. More info and a full time line below.

Topic: Arbitrary Code Execution [1]
Category: pfSense Base System
Module: webgui
Public release date: 15th April 2016 [2]
Credits: Francesco Oddo - Security-Assessment.com

File status_rrd_graph_img.php removed in development branch in October 2015 [3]
Released with OPNsense 15.7.21 in December 2015 [4]

[1] https://www.pfsense.org/security/advisories/pfSense-SA-16_01.webgui.asc
[2] http://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf
[3] https://github.com/opnsense/core/commit/df81ae81830
[4] https://github.com/opnsense/changelog/blob/master/doc/15.7.21

Topic: Multiple XSS and CSRF Vulnerabilities in the pfSense WebGUI [5]
Category: pfSense Base System
Module: webgui
Public release date: 15th April 2016 [2]
Credits: Francesco Oddo - Security-Assessment.com

"descr" XSS vulnerability in file system_gateway_groups_edit.php fixed in development branch in November 2015 [6]
Released with OPNsense 15.7.21 in December 2015 [7]

File firewall_shaper_vinterface.php removed in development branch in April 2015 [8]
File firewall_shaper_layer7.php removed in development branch in April 2015 [9]
Released with OPNsense 15.1.10 in May 2015 [10]

[5] https://www.pfsense.org/security/advisories/pfSense-SA-16_02.webgui.asc
[6] https://github.com/opnsense/core/commit/7edf57ada3
[7] https://github.com/opnsense/changelog/blob/master/doc/15.7.21
[8] https://github.com/opnsense/core/commit/cd1c36f7af530b
[9] https://github.com/opnsense/core/commit/1ad20825d4a
[10] https://github.com/opnsense/changelog/blob/master/doc/15.1.10

# Exploit Title: pfSense Firewall <= 2.2.6 Cross-Site Request Forgery [11]
# Exploit Author: Aatif Shahdad
# Version: 2.2.6 and below.
# Contact: https://twitter.com/61617469665f736

Despite the message that 2.3 was supposed to have been fixed, the exploit is still active in this version! [12]

OPNsense as of 16.1.10 is still vulnerable. A final patch was presented on April 17, 2016. [13]
Released in OPNsense 16.1.11 on April 18, 2016. [14]

A workaround involves logging out of the GUI when not required or using a secondary non-default browser for the sole purpose of interfacing with the GUI.

[11] https://cxsecurity.com/issue/WLB-2016040106
[12] https://twitter.com/61617469665f736/status/721006823705329665
[13] https://github.com/opnsense/core/commit/255dcd2f4
[14] https://github.com/opnsense/changelog/blob/master/doc/16.1.11


Stay safe, stay ahead. :)

Your OPNsense team