Pierluigi Paganini December 15, 2023

Security flaws in Netgate pfSense firewall solution can potentially lead to arbitrary code execution on vulnerable devices.

pfSense is a popular open-source firewall solution maintained by Netgate, researchers discovered multiple security issues affecting it.

Researchers from SonarCloud discovered several security issues, Cross-Site Scripting (XSS) vulnerabilities and a Command Injection vulnerability in pfSense CE (CVE-2023-42325, CVE-2023-42327, CVE-2023-42326). The experts pointed out that an attacker can chain them attacker to execute arbitrary commands on a vulnerable pfSense appliance.

“Security inside a local network is often more lax as network administrators trust their firewalls to protect them from remote attacks. Potential attackers could have used the discovered vulnerabilities to spy on traffic or attack services inside the local network.” reads the analysis published by SonarSource.

The researchers explained that a threat actor can trick an authenticated pfSense user into clicking on a maliciously crafted link containing an XSS payload that triggers the command injection flaw. The analysis states that the victim user needs to be an admin user or at least have access to specific subsections of the pfSense WebGui. 

The attack scenario can see threat actors sending specially crafted links in phishing messages or tricking the victim into clicking on web content.

“An attacker could exploit this vulnerability by inserting a semicolon to start a new shell command and commenting out the unwanted rest of the original command with a hashtag. Because the pfSense process runs as root to be able to change networking settings, the attacker can execute arbitrary system commands as root using this attack.” continues the advisory. “The attacker needs access to a user account with permission to access the interface_gif_edit.php/interface_gre_edit.php page, which can be done with the previously shown XSS vulnerability.”

The flaws impact pfSense CE 2.7.0 and below, pfSense Plus 23.05.1 and below. 

Netgate addressed the vulnerabilities with the release of pfSense CE 2.7.1 and pfSense Plus 23.09.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, pfSense firewall)