pfSense, an open-source firewall solution by Netgate, is vulnerable to command injection and cross-site scripting vulnerabilities tracked as CVE-2023-42325, CVE-2023-42327, & CVE-2023-42326. The vulnerabilities may lead to remote code execution when chained together. Oskar Zeino-Mahmalat of SonarSource has discovered and reported the vulnerabilities.
pfSense computer software distribution based on FreeBSD. The firewall software helps with extensive customization and flexibility. It is a cost-effective solution that offers many features typically found in expensive commercial products.
CVE-2023-42325
The cross-site scripting (XSS) vulnerability exists in the status_logs_filter_dynamic.php, a component of the pfSense Plus and pfSense CE software GUI.
The vulnerability arises due to the improper encoding of the affected parameters. The page does not always validate or sanitize the value of the “interface” variable from user input when using RAW mode (“filtersubmit=1”), which then may be printed without encoding inside a block of JavaScript code.
An attacker may exploit the vulnerability to execute arbitrary JavaScript in the user’s browser. Successful exploitation of the vulnerability may compromise the user’s session cookie or other information.
To exploit the vulnerability, an attacker must be logged in and have sufficient privileges to access status_logs_filter_dynamic.php.
CVE-2023-42326
The authenticated arbitrary command execution vulnerability exists in interfaces_gif_edit.php and interfaces_gre_edit.php, components of the pfSense Plus and pfSense CE software GUI.
The vulnerability originates from the lack of escape on commands in the functions being called. When creating or editing a GIF interface on interfaces_gif_edit.php or a GRE interface on interfaces_gre_edit.php, the submitted POST “gifif” or “greif” value is not validated. Subsequently, the value is passed to another function where the submitted value is used in shell commands.
Successful exploitation of the vulnerability may allow an attacker to execute arbitrary commands with a properly formatted submission value for “gifif” or “greif” in POST operations.
To exploit the vulnerability, an attacker must be logged in and have sufficient privileges to access either interfaces_gif_edit.php or interfaces_gre_edit.php.
CVE-2023-42327
The Cross-Site Scripting (XSS) vulnerability was found in getserviceproviders.php, a component of the pfSense Plus and pfSense CE software GUI.
The vulnerability originates from the improper encoding on the affected parameters. The page does not always validate or sanitize the value of the “connection” variable from user input, which then may be displayed without encoding.
An attacker may exploit the vulnerability to execute arbitrary JavaScript in the user’s browser. Successful exploitation of the vulnerability may compromise the user’s session cookie or other information.
To exploit the vulnerability, an attacker must be logged in and have sufficient privileges to access getserviceproviders.php.
Affected Versions
- pfSense Plus software versions <= 23.05.1
- pfSense CE software versions <= 2.7.0
Mitigation
- pfSense Plus master, 23.09
- pfSense CE master, 2.7.1
For more information about the mitigation, please refer to pfSense-SA-23_08, pfSense-SA-23_09, and pfSense-SA-23_10.
Qualys Detection
Qualys customers can scan their devices with QID 34081 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://docs.netgate.com/downloads/pfSense-SA-23_08.webgui.asc
https://docs.netgate.com/downloads/pfSense-SA-23_09.webgui.asc
https://docs.netgate.com/downloads/pfSense-SA-23_10.webgui.asc
https://docs.netgate.com/downloads/pfSense-SA-23_11.webgui.asc
https://www.sonarsource.com/blog/pfsense-vulnerabilities-sonarcloud/