Project

General

Profile

Actions

Bug #5560

closed

AutoConfigBackup curl session does not verify SSL/TLS certificate of portal.pfsense.org, allowing for possible MiTM attacks

Added by Ian Gallagher about 6 years ago. Updated almost 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
AutoConfigBackup
Target version:
-
Start date:
12/01/2015
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
All
Affected Plus Version:
Affected Architecture:

Description

The configuration of the curl session used for submitting AutoConfigBackup blobs to the pfSense portal is explicitly set to not verify the authenticity of the server's certificate. This could allow for a Man in the Middle attacker to intercept requests from a pfSense installation and intercept encrypted configuration file uploads, and users' portal username/passwords, granting the attacker access to their portal account and anything in it.

The line of code in question is located here: Curl documentation for the option is here:

Remediation should be to change the CURLOPT_SSL_VERIFYPEER from 0 to 1, as follows:

--- autoconfigbackup.inc    2015-12-01 11:50:02.000000000 -0800
+++ autoconfigbackup.inc-patched    2015-12-01 11:50:26.000000000 -0800
@@ -141,3 +141,3 @@
     curl_setopt($curl_session, CURLOPT_HTTPHEADER, array("Authorization: Basic " . base64_encode("{$username}:{$password}")));
-    curl_setopt($curl_session, CURLOPT_SSL_VERIFYPEER, 0);
+    curl_setopt($curl_session, CURLOPT_SSL_VERIFYPEER, 1);
     curl_setopt($curl_session, CURLOPT_POST, 1);
Additional information on the vulnerability available here:
Actions #1

Updated by Chris Buechler about 6 years ago

  • Status changed from New to Resolved

Thanks. That was initially intentional because we didn't ship root CAs on the versions that were out there at the time of the package's release. It should have been switched to on by default with 2.2.0 and newer though. Just committed that change.

Actions #2

Updated by Ian Gallagher about 6 years ago

Great, glad to help and get it fixed.

Actions #3

Updated by Ian Gallagher almost 6 years ago

Did this make it in to 2.2.6? I don't see the 2.2.6 release tag on Github.

Actions #4

Updated by Jim Pingle almost 6 years ago

This is in a package, not base, so it's only relevant to the package version not the pfSense version. It's been in the ACB package for a couple weeks now.

Actions #5

Updated by Jim Pingle almost 5 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF