New security vulnerabilities discovered in pfSense Firewall software

pfSense Firewall Software

Multiple security vulnerabilities have been discovered in the open-source Netgate pfSense firewall solution called pfSense, which can be chained by an attacker to execute arbitrary commands on sensitive devices.

The issues involve two reflected cross-site scripting (XSS) bugs and one command injection flaw, according to new findings from Sonar.

“Security within a local network is often more lax because network administrators rely on their firewalls to protect them from remote attacks,” says security researcher Oskar Zeino-Mahmalat. said.

“Potential attackers could have used the discovered vulnerabilities to spy on traffic or attack services within the local network.”

Affecting pfSense CE 2.7.0 and earlier and pfSense Plus 23.05.1 and earlier, the flaws can be amplified by tricking an authenticated pfSense user (that is, an admin user) into clicking a specially crafted URL, which contains an XSS payload that triggers command injection.

Below is a brief description of the shortcomings:

  • CVE-2023-42325 (CVSS Score: 5.4) – An XSS vulnerability that allows a remote attacker to gain privileges via a crafted URL to the status_logs_filter_dynamic.php page.
  • CVE-2023-42327 (CVSS Score: 5.4) – An XSS vulnerability that could allow a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page.
  • CVE-2023-42326 (CVSS Score: 8.8) – A lack of validation that could allow a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components.

Reflected XSS attacks, also known as non-persistent attacks, occur when an attacker delivers a malicious script to a vulnerable web application, which is then returned in the HTTP response and executed in the victim’s web browser.

As a result, these types of attacks are activated through crafted links embedded in phishing messages or on a third-party website, for example in a comment section or in the form of links shared on social media posts. In the case of pfSense, the threat actor can perform actions in the firewall with the victim’s permission.

“Because the pfSense process runs as root to change network settings, this attack allows the attacker to execute arbitrary system commands as root,” Zeino-Mahmalat said.

After the responsible disclosure on July 3, 2023, the shortcomings disappeared addressed in pfSense CE 2.7.1 and pfSense Plus 23.09, released last month.

The development comes weeks after Sonar detailed an error executing remote code in npm’s built-in integration (CVE-2023-36742, CVSS score: 7.8) that can be weaponized to execute arbitrary commands. It was addressed by Microsoft as part of the September 2023 Patch Tuesday updates.


#security #vulnerabilities #discovered #pfSense #Firewall #software

Notify of
Inline Feedbacks
View all comments
Previous Post
Web Application Vulnerabilities

Bug or feature? Hidden vulnerabilities in web applications discovered

Next Post
Chrome Blocks Third-Party Cookies

Google’s new tracking protection in Chrome blocks third-party cookies

Related Posts