Actions
Bug #5560
closedAutoConfigBackup curl session does not verify SSL/TLS certificate of portal.pfsense.org, allowing for possible MiTM attacks
Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
AutoConfigBackup
Target version:
-
Start date:
12/01/2015
Due date:
% Done:
0%
Estimated time:
Plus Target Version:
Affected Version:
All
Affected Plus Version:
Affected Architecture:
Description
The configuration of the curl session used for submitting AutoConfigBackup blobs to the pfSense portal is explicitly set to not verify the authenticity of the server's certificate. This could allow for a Man in the Middle attacker to intercept requests from a pfSense installation and intercept encrypted configuration file uploads, and users' portal username/passwords, granting the attacker access to their portal account and anything in it.
The line of code in question is located here: Curl documentation for the option is here:Remediation should be to change the CURLOPT_SSL_VERIFYPEER from 0 to 1, as follows:
--- autoconfigbackup.inc 2015-12-01 11:50:02.000000000 -0800 +++ autoconfigbackup.inc-patched 2015-12-01 11:50:26.000000000 -0800 @@ -141,3 +141,3 @@ curl_setopt($curl_session, CURLOPT_HTTPHEADER, array("Authorization: Basic " . base64_encode("{$username}:{$password}"))); - curl_setopt($curl_session, CURLOPT_SSL_VERIFYPEER, 0); + curl_setopt($curl_session, CURLOPT_SSL_VERIFYPEER, 1); curl_setopt($curl_session, CURLOPT_POST, 1);Additional information on the vulnerability available here:
Actions