Recent discoveries have unveiled several security weaknesses in the open-source Netgate pfSense firewall, known as pfSense. These vulnerabilities, if exploited, could enable attackers to run any commands on affected devices.
The identified vulnerabilities are two reflected cross-site scripting (XSS) issues and a command injection fault, as revealed by Sonar’s latest research.
Oskar Zeino-Mahmalat, a security expert, noted, “Local networks often have relaxed security under the assumption that firewalls shield them from external threats. However, these discovered vulnerabilities could let attackers monitor traffic or target internal network services.”
The vulnerabilities, found in pfSense CE 2.7.0 and earlier versions, as well as pfSense Plus 23.05.1 and earlier, can be misused by deceiving an authenticated pfSense user into clicking a malicious URL. This URL triggers an XSS attack, leading to command injection.
The flaws are briefly described as follows:
- CVE-2023-42325 (CVSS score: 5.4) – An XSS vulnerability allowing remote attackers to gain privileges via a specific URL to the status_logs_filter_dynamic.php page.
- CVE-2023-42327 (CVSS score: 5.4) – An XSS vulnerability enabling remote attackers to gain privileges through a crafted URL to the getserviceproviders.php page.
- CVE-2023-42326 (CVSS score: 8.8) – A validation issue allowing remote attackers to execute arbitrary code via a specific request to the interfaces_gif_edit.php and interfaces_gre_edit.php components.
Reflected XSS attacks, also known as non-persistent attacks, happen when a malicious script delivered to a vulnerable application is then reflected back in the HTTP response and executed in the victim’s browser. These attacks are often initiated through links in phishing emails, third-party websites, or social media posts. In pfSense’s case, this allows the attacker to execute actions with the victim’s firewall permissions.
The vulnerabilities were responsibly disclosed on July 3, 2023, and have been addressed in the newly released pfSense CE 2.7.1 and pfSense Plus 23.09.