pfSense

If an attacker attempts to login by passing a username containing a newline, for example, the newline is included in the log message indicating that the login failed and it appears to be split across multiple lines and log messages.

Attached is a small PoC script which attempts to login with a bad username containing a newline admin\nblah. This results in a split log entry:

Jul 17 14:29:15 pfsense php-fpm[84788]: /index.php: webConfigurator authentication error for user 'admin
Jul 17 14:29:15 pfsense php-fpm[84788]: blah' from: 198.51.100.142

There is no danger to the authentication process as the username isn't valid. However, the arbitrary string used by the attacker is included in the logs so the attacker can influence the content of the logs in ways to make the messages confusing or appear to show events that did not occur.

The username in the logs should be trimmed to at most 32 characters and control characters should be removed or replaced by another string. While there are contexts such as LDAP where longer usernames may be valid, such configurations are uncommon and protecting the integrity of the log messages is more important.

There is a somewhat related bug in that sshguard will not trigger on these log messages (#16312) however since these are not valid usernames it isn't a critical concern. To fix this log issue completely, that issue must be addressed first.

If we want to patch the log issue on versions where the sshguard issue is present, we can strip or replace any character outside of what sshguard will recognize with "_" or "-".