Multiple security vulnerabilities have been discovered in the open-source Netgate pfSense firewall solution called pfSense that could be chained by an attacker to execute arbitrary commands on susceptible appliances.
The issues relate to two reflected cross-site scripting (XSS) bugs and one command injection flaw, according to new findings from Sonar.
“Security inside a local network is often more lax as network administrators trust their firewalls to protect them from remote attacks,” security researcher Oskar Zeino-Mahmalat said.
“Potential attackers could have used the discovered vulnerabilities to spy on traffic or attack services inside the local network.”
Impacting pfSense CE 2.7.0 and below and pfSense Plus 23.05.1 and below, the shortcomings could be weaponized by tricking an authenticated pfSense user (i.e., an admin user) into clicking on a specially crafted URL, which contains an XSS payload that activates command injection.
A brief description of the flaws is given below –
- CVE-2023-42325 (CVSS score: 5.4) – An XSS vulnerability that allows a remote attacker to gain privileges via a crafted url to the status_logs_filter_dynamic.php page.
- CVE-2023-42327 (CVSS score: 5.4) – An XSS vulnerability that allows a remote attacker to gain privileges via a crafted URL to the getserviceproviders.php page.
- CVE-2023-42326 (CVSS score: 8.8) – A lack of validation that allows a remote attacker to execute arbitrary code via a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php components.
Reflected XSS attacks, also called non-persistent attacks, occur when an attacker delivers a malicious script to a vulnerable web application, which is then returned in the HTTP response and executed on the victim’s web browser.
As a result, attacks of this kind are triggered by means of crafted links embedded in phishing messages or a third-party website, for example, in a comment section or in the form of links shared on social media posts. In the case of pfSense, the threat actor can perform actions in the firewall with the victim’s permissions.
“Because the pfSense process runs as root to be able to change networking settings, the attacker can execute arbitrary system commands as root using this attack,” Zeino-Mahmalat said.
Following responsible disclosure on July 3, 2023, the flaws were addressed in pfSense CE 2.7.1 and pfSense Plus 23.09 released last month.
The development comes weeks after Sonar detailed a remote code execution flaw in Microsoft Visual Studio Code’s built-in integration of npm (CVE-2023-36742, CVSS score: 7.8) that could be weaponized to execute arbitrary commands. It was addressed by Microsoft as part of its Patch Tuesday updates for September 2023.