Several security flaws in the open-source Netgate pfSense firewall solution, known as pfSense, have been found. These flaws could allow an attacker to execute arbitrary commands on vulnerable appliances by chaining them together.
New research from Sonar reveals that the problems are related to two reflected cross-site scripting (XSS) vulnerabilities and one command injection vulnerability.
As network administrators believe their firewalls will shield them from remote attacks, security inside local networks is frequently more slack, according to security researcher Oskar Zeino-Mahmalat.
“Potential attackers could have used the discovered vulnerabilities to spy on traffic or attack services inside the local network.”
The vulnerabilities, which affect pfSense CE 2.7.0 and lower and pfSense Plus 23.05.1 and lower, could be exploited by deceiving an admin user or other authenticated pfSense user into clicking on a maliciously created URL that activates command injection and contains an XSS payload.
Below is a brief description of the shortcomings:
- Through the use of a specially created URL to access the status_logs_filter_dynamic.php page, a remote attacker can obtain privileges through the XSS vulnerability CVE-2023-42325 (CVSS score: 5.4).
- With a crafted URL to the getserviceproviders.php page, a remote attacker can obtain privileges through the XSS vulnerability CVE-2023-42327 (CVSS score: 5.4).
- A remote attacker can execute arbitrary code by sending a specially crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components, thanks to a validation flaw in CVE-2023-42326 (CVSS score: 8.8).
Reflected cross-site scripting (XSS) attacks, also known as non-persistent attacks, happen when an attacker infects a weak web application with a malicious script. The script is then returned in the HTTP response and is executed by the victim’s web browser.
Therefore, phishing attacks of this type are initiated through carefully constructed links that are embedded in other websites or phishing messages, such as links shared on social media posts or in comment sections on third-party websites. When using pfSense, the threat actor has access to the victim’s permissions, so they can take actions within the firewall.
“Because the pfSense process runs as root to be able to change networking settings, the attacker can execute arbitrary system commands as root using this attack,” Zeino-Mahmalat stated.
The vulnerabilities were fixed in the most recent releases of pfSense CE 2.7.1 and pfSense Plus 23.09, which were made available on July 3, 2023, after due diligence.
The development occurred weeks after Sonar discovered a vulnerability that could be used to execute arbitrary commands via remote code execution in Microsoft Visual Studio Code’s built-in npm integration (CVE-2023-36742, CVSS score: 7.8). Microsoft addressed it in their September 2023 Patch Tuesday updates.
RCE attacks could affect the majority of pfSense instances exposed to the internet
BleepingComputer reports that the command injection bug, tracked as CVE-2023-42326, and the reflective XSS vulnerabilities tracked as CVE-2023-42325 and CVE-2023-42327, could be chained to compromise more than 92% of internet-exposed instances of the open-source pfSense firewall and router software and achieve remote code execution. Netgate has already addressed all of these vulnerabilities.
The widespread usage of pfSense software points to a sizable attack surface that could be used by threat actors with high levels of access to enable lateral network movement and data breaches.
You Can Consider Other Top 5 Open Source Firewalls for Your Network Security.