Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    BREACH attack vulnerability on SSL/TLS connections. This vulnerability is present in the HTTP compression of the web configurator.

    Scheduled Pinned Locked Moved
    webGUI
    6
    10
    1.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zendzipr
      last edited by

      BREACH attack vulnerability on SSL/TLS connections. This vulnerability is present in the HTTP compression of the web configurator.

      The vulnerability was detected due to the enabled HTTP compression being enabled

      I confirmed with ```
      curl -I -H 'Accept-Encoding: gzip,deflate' HOSTNAME

      HTTP/2 200
      server: nginx
      date: Wed, 17 Jan 2024 17:49:37 GMT
      content-type: text/html; charset=UTF-8
      x-frame-options: SAMEORIGIN
      last-modified: Wed, 17 Jan 2024 17:49:37 GMT
      set-cookie: PHPSESSID=de7936802006df43579a79b60711c866; path=/; secure; HttpOnly
      expires: Thu, 19 Nov 1981 08:52:00 GMT
      cache-control: no-store, no-cache, must-revalidate
      pragma: no-cache
      strict-transport-security: max-age=31536000
      x-content-type-options: nosniff
      content-encoding: gzip

      
After reviewing, I determined the configuration appears to be hardcoded at /etc/inc/system.inc line 1915.

Is this something that can be modified locally or do we have to wait for a patch?
      JonathanLeeJ GertjanG 2 Replies Last reply Reply Quote 0
      • JonathanLeeJ
        JonathanLee @zendzipr
        last edited by JonathanLee

        @zendzipr set the GUI processes to 1 not 4 see if that helps. It should show one GUI connection not 5 when you log on.

        โ€œEnter the number of webConfigurator processes to run. This defaults to 2. Increasing this will allow more users/browsers to access the GUI concurrently.โ€

        I set mine to one never looked back. I was originally set to 4 I noticed it would use all 4 for one login. Changed it to one now only one state listed per login

        Make sure to upvote

        1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @zendzipr
          last edited by Gertjan

          @zendzipr said in BREACH attack vulnerability on SSL/TLS connections. This vulnerability is present in the HTTP compression of the web configurator.:

          to be hardcoded at /etc/inc/system.inc line 1915.

          Is this something that can be modified locally or do we have to wait for a patch?

          Well, the hard in coded is gone, as you've found "/etc/inc/system.inc line 1915" ^^

          If you know all about nginx config file settings - and what pfSense needs so it works, be free to change whatever you want.
          edit : and report back your findings ๐Ÿ‘

          Btw : the GUI web server isn't a public web server.
          Typically, it's only accessible on one of the pfSense LAN - not WAN - type interfaces - the one you've labeled "LAN for admin access only". So, if the GUI web server get breached, the guy was already connected to (with a cable !!) to pfSense so he also has access physically to the box.
          No need to think about web server access settings in that case ^^

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          M 1 Reply Last reply Reply Quote 0
          • M
            mer @Gertjan
            last edited by

            @Gertjan said in BREACH attack vulnerability on SSL/TLS connections. This vulnerability is present in the HTTP compression of the web configurator.:

            Btw : the GUI web server isn't a public web server

            Or at least it shouldn't be :)

            1 Reply Last reply Reply Quote 0
            • Z
              zendzipr
              last edited by

              This vulnerability can be exploited, regardless of whether it is internal or external.

              An internal vulnerability is just as dangerous as an external one, especially in a compliance-based environment like PCI.

              johnpozJ 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @zendzipr
                last edited by

                @zendzipr said in BREACH attack vulnerability on SSL/TLS connections. This vulnerability is present in the HTTP compression of the web configurator.:

                especially in a compliance-based environment like PCI.

                If your pci network can talk to pfsense web gui, your doing pci wrong in the first place..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.03 | Lab VMs 2.7.2, 24.03

                1 Reply Last reply Reply Quote 1
                • jimpJ
                  jimp Rebel Alliance Developer Netgate
                  last edited by

                  There is a lot more to it than "the web server supports compression, therefore it's vulnerable."

                  The GUI web server employs CSRF protection which is one of the methods for mitigating such attacks.

                  Can you successfully demonstrate an attack that succeeds against the GUI web server?

                  Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                  Need help fast? Netgate Global Support!

                  Do not Chat/PM for help!

                  johnpozJ 1 Reply Last reply Reply Quote 4
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @jimp
                    last edited by

                    Oh Snap - someone should let google know ;)

                    google.jpg

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.03 | Lab VMs 2.7.2, 24.03

                    1 Reply Last reply Reply Quote 3
                    • Z
                      zendzipr
                      last edited by

                      Thank you for your valuable insights. It's evident that the BREACH attack vulnerability, while a technical security concern, primarily represents a compliance issue for me. In environments where regulatory compliance and standard adherence are critical, addressing this vulnerability is about enhancing security and fulfilling necessary compliance requirements.

                      While the immediate security risks might vary, the need to address this vulnerability for compliance purposes is clear. As such, my focus is on effectively mitigating this issue to ensure that our systems are secure and meet the required compliance standards.

                      1 Reply Last reply Reply Quote 0
                      • jimpJ
                        jimp Rebel Alliance Developer Netgate
                        last edited by

                        Compliance isn't an issue here.

                        For it to be a problem it has to be proven to actually be a problem, which hasn't happened.

                        Whatever scan is flagging it is giving bogus results, it's a false positive.

                        If you want to alter the source to shut the scanner up, that's up to you.

                        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 2
                        • First post
                          Last post