Recent findings have uncovered multiple security vulnerabilities within the open-source Netgate pfSense firewall solution. These vulnerabilities could potentially be combined by an attacker, allowing them to execute arbitrary commands on affected devices.
The identified issues involve two reflected cross-site scripting (XSS) issues alongside a command injection vulnerability, as reported by Sonar. Oskar Zeino-Mahmalat, a security researcher, emphasized the inherent trust network administrators place in firewalls to safeguard against remote threats. This trust can lead to vulnerabilities that are particularly perilous within a local network.
According to the analysis, these vulnerabilities affect pfSense CE 2.7.0 and earlier, as well as pfSense Plus 23.05.1 and earlier versions. An attacker could exploit these flaws by convincing an authenticated user, such as an administrator, to click on a crafted URL that contains a malicious payload capable of triggering command execution.
Specific vulnerabilities include CVE-2023-42325 and CVE-2023-42327, which both score 5.4 on the CVSS scale. These flaws allow an attacker to gain elevated privileges via specifically constructed URLs linked to certain pfSense web pages. Additionally, CVE-2023-42326 presents a more severe risk with a CVSS score of 8.8, as it permits arbitrary code execution through crafted requests to critical components.
Reflected XSS attacks occur when a malicious script is delivered to a vulnerable application, subsequently executed in the victim’s web browser. This underscores the importance of vigilance in environments where attackers might utilize phishing tactics or embedded links in third-party sites and social media to trigger such attacks.
Zeino-Mahmalat further noted that since the pfSense process operates with root access to manage network settings, exploiting these flaws could enable an attacker to run arbitrary commands with full system privileges.
On July 3, 2023, a responsible disclosure led to these vulnerabilities being addressed in pfSense CE 2.7.1 and pfSense Plus 23.09, which were released shortly thereafter. This incident comes in the wake of Sonar’s recent identification of a remote code execution vulnerability in Microsoft’s Visual Studio Code, easily weaponized to execute arbitrary commands, leading to timely remediation by Microsoft.
In understanding these threats through the lens of the MITRE ATT&CK framework, tactics such as initial access, privilege escalation, and remote code execution are pertinent. With these vulnerabilities in mind, business owners must remain proactive in assessing their cybersecurity posture, recognizing that the complexity of internal networks can inadvertently create opportunities for attackers to exploit trust and access.
