Approximately 1,450 pfSense instances that are accessible online have been found to have vulnerabilities in command injection and cross-site scripting. If these vulnerabilities are combined, attackers might potentially execute remote code on the appliance.
pfSense is a widely-used open-source software for firewalls and routers, offering a high degree of customization and flexibility in implementation. This approach is economically efficient and can meet unique requirements, providing a diverse set of characteristics commonly found in high-priced commercial items.
SonarSource researchers, via their SonarCloud service, recently identified three vulnerabilities affecting pfSense versions 2.7.0 and earlier, as well as pfSense Plus versions 23.05.01 and earlier. The vulnerabilities are identified as CVE-2023-42325 (Cross-Site Scripting), CVE-2023-42327 (Cross-Site Scripting), and CVE-2023-42326 (Command Injection).
While the mirrored XSS vulnerabilities necessitate user interaction on the victim’s part to be exploited, the command injection vulnerability is more critical, with a CVSS score of 8.8.
The vulnerability in pfSense’s web UI stems from the construction of shell commands using user-provided data to configure network interfaces, without implementing adequate validation.
The vulnerability affects the “gifif” network interface parameter, which lacks proper validation of secure values. This enables malicious actors to inject supplementary instructions into the parameter, resulting in their execution with root capabilities.
In order for this exploit to be successful, the malicious actor must have access to an account that has the ability to alter interfaces. Therefore, it is necessary to combine multiple vulnerabilities in order to carry out a potent attack.
Either CVE-2023-42325 or CVE-2023-42327 can be exploited to execute malicious JavaScript in an authenticated user’s browser, thereby gaining control over their pfSense session.