On Tue, Jan 28, 2014 at 6:25 AM, Giles Coochey <gi...@coochey.net> wrote: > > http://seclists.org/fulldisclosure/2014/Jan/187 > > I'm not connected with the author, or share any opinions. > > I simply monitor the Full Disclosure list, as well as pfsense and thought it > appropriate to make the pfsense list aware. >
Thanks for posting. Sure would have been nice if they'd contacted secur...@pfsense.org in advance. One of us will get that fixed at some point in the next day. There may not be a single install on the planet affected by the combination of things where that's applicable. The issue is in the Snort package. For you to do anything with such privilege escalation vulnerabilities, you must have a valid login to administer the firewall and be logged in. In most cases, users with admin access to the firewall are in the admins group, where they can do anything by design. Nothing to escalate to from there. This also only applies if you have the Snort package installed. So the people who could be impacted are those who: 1) have people with firewall admin user accounts with limited privileges 2) have the Snort package installed 3) have admin users with limited privileges that are granted rights to Snort If all of the 3 above apply, then admin users with limited rights who have access to Snort can bypass all restrictions on their account by exploiting that RCE or LFI. If less than 3 of the above list apply, then this has no relevance to you. > I imagine a lot of what is disclosed in the post represents problems with > third party packages, and would mostly be mitigated by not allowing the web > interface to be accessible from non-trusted networks / IPs. > That's definitely a best practice with anything used solely for management purposes, don't leave it open to the entire Internet. But that's not relevant here (nor to IIRC any of the vulnerabilities that have ever existed in our web interface). Historically, we've done as well or better than any commercial product with a web management interface, but there are always risks, and that's the #1 defense. The vulnerabilities we've had in our web interface have been XSS, CSRF, and privilege escalation. It doesn't matter whether your web interface is open to the Internet or not for those classes of issues. But it's always possible some serious security issue could be found in lighttpd (the web server), PHP itself, or our code, that would allow an unauthenticated user to compromise a system if it's open to the Internet. So don't do that. _______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list