On 28-01-2014 11:40, Chris Buechler wrote: > On Tue, Jan 28, 2014 at 6:25 AM, Giles Coochey <[email protected]> wrote: >> >> http://seclists.org/fulldisclosure/2014/Jan/187 >> >> I'm not connected with the author, or share any opinions. >> >> I simply monitor the Full Disclosure list, as well as pfsense and thought it >> appropriate to make the pfsense list aware. >> > > Thanks for posting. Sure would have been nice if they'd contacted > [email protected] in advance. One of us will get that fixed at some > point in the next day. There may not be a single install on the planet > affected by the combination of things where that's applicable. The > issue is in the Snort package. > > For you to do anything with such privilege escalation vulnerabilities, > you must have a valid login to administer the firewall and be logged > in. In most cases, users with admin access to the firewall are in the > admins group, where they can do anything by design. Nothing to > escalate to from there. This also only applies if you have the Snort > package installed. > > So the people who could be impacted are those who: > 1) have people with firewall admin user accounts with limited privileges > 2) have the Snort package installed > 3) have admin users with limited privileges that are granted rights to Snort > > If all of the 3 above apply, then admin users with limited rights who > have access to Snort can bypass all restrictions on their account by > exploiting that RCE or LFI. If less than 3 of the above list apply, > then this has no relevance to you. > > >> I imagine a lot of what is disclosed in the post represents problems with >> third party packages, and would mostly be mitigated by not allowing the web >> interface to be accessible from non-trusted networks / IPs. >> > > That's definitely a best practice with anything used solely for > management purposes, don't leave it open to the entire Internet. But > that's not relevant here (nor to IIRC any of the vulnerabilities that > have ever existed in our web interface). Historically, we've done as > well or better than any commercial product with a web management > interface, but there are always risks, and that's the #1 defense. The > vulnerabilities we've had in our web interface have been XSS, CSRF, > and privilege escalation. It doesn't matter whether your web interface > is open to the Internet or not for those classes of issues. But it's > always possible some serious security issue could be found in lighttpd > (the web server), PHP itself, or our code, that would allow an > unauthenticated user to compromise a system if it's open to the > Internet. So don't do that.
I've pushed a fix and bumped package version to 3.0.3.
--
Renato Botelho <garga @ FreeBSD.org>
<garga.bsd @ gmail.com>
GnuPG Key: http://www.FreeBSD.org/~garga/pubkey.asc
signature.asc
Description: OpenPGP digital signature
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
