Bug #5560
closed
AutoConfigBackup curl session does not verify SSL/TLS certificate of portal.pfsense.org, allowing for possible MiTM attacks
0%
Description
The configuration of the curl session used for submitting AutoConfigBackup blobs to the pfSense portal is explicitly set to not verify the authenticity of the server's certificate. This could allow for a Man in the Middle attacker to intercept requests from a pfSense installation and intercept encrypted configuration file uploads, and users' portal username/passwords, granting the attacker access to their portal account and anything in it.
The line of code in question is located here: Curl documentation for the option is here:Remediation should be to change the CURLOPT_SSL_VERIFYPEER from 0 to 1, as follows:
--- autoconfigbackup.inc 2015-12-01 11:50:02.000000000 -0800
+++ autoconfigbackup.inc-patched 2015-12-01 11:50:26.000000000 -0800
@@ -141,3 +141,3 @@
curl_setopt($curl_session, CURLOPT_HTTPHEADER, array("Authorization: Basic " . base64_encode("{$username}:{$password}")));
- curl_setopt($curl_session, CURLOPT_SSL_VERIFYPEER, 0);
+ curl_setopt($curl_session, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($curl_session, CURLOPT_POST, 1);
Additional information on the vulnerability available here:
Updated by Chris Buechler about 9 years ago
- Status changed from New to Resolved
Thanks. That was initially intentional because we didn't ship root CAs on the versions that were out there at the time of the package's release. It should have been switched to on by default with 2.2.0 and newer though. Just committed that change.
Updated by Ian Gallagher about 9 years ago
Great, glad to help and get it fixed.
Updated by Ian Gallagher almost 9 years ago
Did this make it in to 2.2.6? I don't see the 2.2.6 release tag on Github.
Updated by Jim Pingle almost 9 years ago
This is in a package, not base, so it's only relevant to the package version not the pfSense version. It's been in the ACB package for a couple weeks now.