-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= pfSense-SA-25_01.webgui Security Advisory pfSense Topic: Multiple problems in Dashboard widget key handling Category: pfSense Base System Module: webgui Announced: 2025-05-16 Credits: Github user NavyTitanium CVE ID: CVE-2024-54779 Affects: pfSense Plus software versions < 25.03 pfSense CE software versions < 2.8.0 Corrected: 2024-12-03 14:39:04 UTC (pfSense Plus master, 25.03) 2024-12-03 14:39:04 UTC (pfSense CE master, 2.8.0) 0. Revision History v1.0 2025-05-16 Initial SA draft I. Background pfSense® software is a free network firewall distribution based on the FreeBSD operating system. The pfSense software distribution includes third- party free software packages for additional functionality, and provides most of the functionality of common commercial firewalls. pfSense® Plus is the productized version of pfSense software from Netgate®, previously referred to as pfSense Factory Edition (FE). It is available to Netgate appliance and CSP customers. The majority of users of pfSense software have never installed or used a stock FreeBSD system. Unlike similar GNU/Linux-based firewall distributions, there is no need for any UNIX knowledge. The command line is never used, and there is no need to ever manually edit any rule sets. Instead, pfSense software includes a web interface for the configuration of all included components. Users familiar with commercial firewalls will quickly understand the web interface, while those unfamiliar with commercial-grade firewalls may encounter a short learning curve. II. Problem Description Multiple problems can stem from a lack of validation on Dashboard widget keys. Many dashboard widgets allow multiple instances and use a "widgetkey" parameter to distinguish between these instances. The widget keys should be in the form of "-". However, the dashboard did not validate this format when accepting input from clients. This problem is present on pfSense Plus version 24.11, pfSense CE version 2.7.2, and earlier versions of both. III. Impact Malicious clients could populate the "widgetkey" parameter with bad data, which could result in a corrupted configuration and it could potentially be a Cross-Site Scripting (XSS) vector. If a client submits a "widgetkey" value containing XML, it could result in the configuration becoming unreadable, which breaks access to the GUI and can also prevent the system from booting. Due to the lack of encoding on some values assumed to be safe in the configuration, a corrupted configuration could also lead to certain widgets being susceptible to XSS. There is still a small potential that arbitrary JavaScript could be executed in the user's browser. The user's session cookie or other information from the session may be compromised. IV. Workaround To help mitigate the problem on older releases, use one or more of the following: * Limit access to the affected pages to trusted administrators only. * Do not grant users write access to the configuration unnecessarily. * Do not log into the firewall with the same browser used for non- administrative web browsing. V. Solution Users can upgrade to pfSense Plus software version 25.03 or later, or pfSense CE software versions after 2.8.0 when available. This upgrade may be performed in the web interface or from the console. See https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide.html Users on pfSense Plus version 24.11 and pfSense CE version 2.7.2 may apply the fix from the recommended patches list in the System Patches package. Users may also manually apply the relevant revisions below using the System Patches package on earlier versions, or by manually making similar changes to the affected files if the patches do not apply directly. See https://docs.netgate.com/pfsense/en/latest/development/system-patches.html VI. Correction details The following list contains the correction revision commit ID for each affected item. Branch/path Revision - - ------------------------------------------------------------------------- plus/plus-master 04b74da157709a89b7b032a91d72f7697d17f7fc 6b42147b1c52b559e833e0edcbfbdffbb410b809 ff50e62fb744c3e02b1c51b15140d686754e9602 pfSense/master 04b74da157709a89b7b032a91d72f7697d17f7fc 6b42147b1c52b559e833e0edcbfbdffbb410b809 ff50e62fb744c3e02b1c51b15140d686754e9602 - - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE40XvjEU56XSUPIMdE7mH/ZIU+NoFAmgnYykACgkQE7mH/ZIU +NoS3Q//ZyjH0Asw0gxRKfLzhtLj3Uns9Mj+9tKwog5GMNgSh5SrSGo6GWePoxzH boLIVJh79Gjp9gxH/NZqSP74HIzIpQggre2kw65L/yy/WB66qzy4jByCj2KzztEZ CE4A7QNTIIBO26YPZWLKR9/cPDzDdYikzwZhNkNwUiu5tW+KdF9dSG+bVTmey8bm TK5adH+l66NEbQUdgUXgxp6Br+pxQ5aUlmhGdGm/vacuE/qKiT3ZcFeDw1MDJwfp iSNuW5UEjZY7UZhZyn2a80c+JmA09ZRl/q8iP7+dxVu8mYoguSE6kSu/1Qq2uYFT 0ldibQUEeyqnZtqC+My6xq07y3BHbmkOhwDmvrSFMYANoPpiijoRvEtAVM4cGlO7 heh/bFDXP3PSk4PbUFgGHwDd+RAXrWeeePI4XA4mAaw+dGB6gCetn04lOIQXAOlc Nx89WrhC7oV5hyFIYCmy32QBSmN26yOAcTBMTgCWoDe+4mjcTWEx5eK7x6yKDFuL 9qgC6KZWeojQrvmbhdfLEiqEyQrE2N4oOPYeaPsHU2u4V5UkVel5W7qvpMJ7cra9 wuED+5hH4u70WS3H6RK7MKQJ8XQRiJSGPBSgM3OG8AfXzq8pEXBVIuTShlGvqL+l LaGh778BWALcj9zgm27/LcZy5TWKNjoRZgqfLcODuNxz6trkYe0= =crsG -----END PGP SIGNATURE-----