• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

BREACH attack vulnerability on SSL/TLS connections. This vulnerability is present in the HTTP compression of the web configurator.

Scheduled Pinned Locked Moved webGUI
10 Posts 6 Posters 2.2k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Z
    zendzipr
    last edited by Jan 17, 2024, 7:07 PM

    BREACH attack vulnerability on SSL/TLS connections. This vulnerability is present in the HTTP compression of the web configurator.

    The vulnerability was detected due to the enabled HTTP compression being enabled

    I confirmed with ```
    curl -I -H 'Accept-Encoding: gzip,deflate' HOSTNAME

    
    

    HTTP/2 200
    server: nginx
    date: Wed, 17 Jan 2024 17:49:37 GMT
    content-type: text/html; charset=UTF-8
    x-frame-options: SAMEORIGIN
    last-modified: Wed, 17 Jan 2024 17:49:37 GMT
    set-cookie: PHPSESSID=de7936802006df43579a79b60711c866; path=/; secure; HttpOnly
    expires: Thu, 19 Nov 1981 08:52:00 GMT
    cache-control: no-store, no-cache, must-revalidate
    pragma: no-cache
    strict-transport-security: max-age=31536000
    x-content-type-options: nosniff
    content-encoding: gzip

    
    After reviewing, I determined the configuration appears to be hardcoded at /etc/inc/system.inc line 1915.
    
    Is this something that can be modified locally or do we have to wait for a patch?
    J G 2 Replies Last reply Jan 17, 2024, 7:46 PM Reply Quote 0
    • J
      JonathanLee @zendzipr
      last edited by JonathanLee Jan 17, 2024, 7:51 PM Jan 17, 2024, 7:46 PM

      @zendzipr set the GUI processes to 1 not 4 see if that helps. It should show one GUI connection not 5 when you log on.

      β€œEnter the number of webConfigurator processes to run. This defaults to 2. Increasing this will allow more users/browsers to access the GUI concurrently.”

      I set mine to one never looked back. I was originally set to 4 I noticed it would use all 4 for one login. Changed it to one now only one state listed per login

      Make sure to upvote

      1 Reply Last reply Reply Quote 0
      • G
        Gertjan @zendzipr
        last edited by Gertjan Jan 19, 2024, 10:49 AM Jan 19, 2024, 10:48 AM

        @zendzipr said in BREACH attack vulnerability on SSL/TLS connections. This vulnerability is present in the HTTP compression of the web configurator.:

        to be hardcoded at /etc/inc/system.inc line 1915.

        Is this something that can be modified locally or do we have to wait for a patch?

        Well, the hard in coded is gone, as you've found "/etc/inc/system.inc line 1915" ^^

        If you know all about nginx config file settings - and what pfSense needs so it works, be free to change whatever you want.
        edit : and report back your findings πŸ‘

        Btw : the GUI web server isn't a public web server.
        Typically, it's only accessible on one of the pfSense LAN - not WAN - type interfaces - the one you've labeled "LAN for admin access only". So, if the GUI web server get breached, the guy was already connected to (with a cable !!) to pfSense so he also has access physically to the box.
        No need to think about web server access settings in that case ^^

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        M 1 Reply Last reply Jan 19, 2024, 1:07 PM Reply Quote 0
        • M
          mer @Gertjan
          last edited by Jan 19, 2024, 1:07 PM

          @Gertjan said in BREACH attack vulnerability on SSL/TLS connections. This vulnerability is present in the HTTP compression of the web configurator.:

          Btw : the GUI web server isn't a public web server

          Or at least it shouldn't be :)

          1 Reply Last reply Reply Quote 0
          • Z
            zendzipr
            last edited by Jan 19, 2024, 1:35 PM

            This vulnerability can be exploited, regardless of whether it is internal or external.

            An internal vulnerability is just as dangerous as an external one, especially in a compliance-based environment like PCI.

            J 1 Reply Last reply Jan 19, 2024, 2:53 PM Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator @zendzipr
              last edited by Jan 19, 2024, 2:53 PM

              @zendzipr said in BREACH attack vulnerability on SSL/TLS connections. This vulnerability is present in the HTTP compression of the web configurator.:

              especially in a compliance-based environment like PCI.

              If your pci network can talk to pfsense web gui, your doing pci wrong in the first place..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 1
              • J
                jimp Rebel Alliance Developer Netgate
                last edited by Jan 19, 2024, 7:53 PM

                There is a lot more to it than "the web server supports compression, therefore it's vulnerable."

                The GUI web server employs CSRF protection which is one of the methods for mitigating such attacks.

                Can you successfully demonstrate an attack that succeeds against the GUI web server?

                Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                J 1 Reply Last reply Jan 19, 2024, 8:52 PM Reply Quote 4
                • J
                  johnpoz LAYER 8 Global Moderator @jimp
                  last edited by Jan 19, 2024, 8:52 PM

                  Oh Snap - someone should let google know ;)

                  google.jpg

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 3
                  • Z
                    zendzipr
                    last edited by Jan 23, 2024, 4:53 PM

                    Thank you for your valuable insights. It's evident that the BREACH attack vulnerability, while a technical security concern, primarily represents a compliance issue for me. In environments where regulatory compliance and standard adherence are critical, addressing this vulnerability is about enhancing security and fulfilling necessary compliance requirements.

                    While the immediate security risks might vary, the need to address this vulnerability for compliance purposes is clear. As such, my focus is on effectively mitigating this issue to ensure that our systems are secure and meet the required compliance standards.

                    1 Reply Last reply Reply Quote 0
                    • J
                      jimp Rebel Alliance Developer Netgate
                      last edited by Jan 23, 2024, 4:58 PM

                      Compliance isn't an issue here.

                      For it to be a problem it has to be proven to actually be a problem, which hasn't happened.

                      Whatever scan is flagging it is giving bogus results, it's a false positive.

                      If you want to alter the source to shut the scanner up, that's up to you.

                      Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                      Need help fast? Netgate Global Support!

                      Do not Chat/PM for help!

                      1 Reply Last reply Reply Quote 2
                      10 out of 10
                      • First post
                        10/10
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                        This community forum collects and processes your personal information.
                        consent.not_received