pfSense: pfSense-SA-19_06.webgui: Authenticated Arbitrary Code Execution in the WebGUI

The OpenVPN server (vpn_openvpn_server.php), client (vpn_openvpn_client.php),
and client-specific override (vpn_openvpn_csc.php) pages on pfSense allow
authenticated administrators to enter custom advanced options which are passed
through as-is to the OpenVPN configuration file. These parameters can include
directives such as "up" which are able to run arbitrary binaries when specific
events occur in OpenVPN.

Allowing these advanced parameters is an intended feature. However, an
administrator may not expect that by allowing a lower-privilege user access to
these pages that the lower-privilege user may use the advanced options to
execute arbitrary code.

An authenticated user granted access to these pages via their associated
privileges, either directly or via group membership, could leverage these
directives to gain elevated privileges and make arbitrary changes to the
firewall.