A number of security vulnerabilities have been found within the open-source Netgate pfSense firewall answer referred to as pfSense that might be chained by an attacker to execute arbitrary instructions on vulnerable home equipment.
The problems relate to 2 mirrored cross-site scripting (XSS) bugs and one command injection flaw, in accordance with new findings from Sonar.
“Safety inside a neighborhood community is usually extra lax as community directors belief their firewalls to guard them from distant assaults,” security researcher Oskar Zeino-Mahmalat stated.
“Potential attackers might have used the found vulnerabilities to spy on site visitors or assault providers contained in the native community.”
Impacting pfSense CE 2.7.0 and beneath and pfSense Plus 23.05.1 and beneath, the shortcomings might be weaponized by tricking an authenticated pfSense consumer (i.e., an admin consumer) into clicking on a specifically crafted URL, which accommodates an XSS payload that prompts command injection.
A short description of the failings is given beneath –
- CVE-2023-42325 (CVSS rating: 5.4) – An XSS vulnerability that enables a distant attacker to realize privileges through a crafted url to the status_logs_filter_dynamic.php web page.
- CVE-2023-42327 (CVSS rating: 5.4) – An XSS vulnerability that enables a distant attacker to realize privileges through a crafted URL to the getserviceproviders.php web page.
- CVE-2023-42326 (CVSS rating: 8.8) – An absence of validation that enables a distant attacker to execute arbitrary code through a crafted request to the interfaces_gif_edit.php and interfaces_gre_edit.php elements.
Mirrored XSS assaults, additionally referred to as non-persistent assaults, happen when an attacker delivers a malicious script to a weak internet utility, which is then returned within the HTTP response and executed on the sufferer’s internet browser.
Consequently, assaults of this sort are triggered by way of crafted hyperlinks embedded in phishing messages or a third-party web site, for instance, in a remark part or within the type of hyperlinks shared on social media posts. Within the case of pfSense, the risk actor can carry out actions within the firewall with the sufferer’s permissions.
“As a result of the pfSense course of runs as root to have the ability to change networking settings, the attacker can execute arbitrary system instructions as root utilizing this assault,” Zeino-Mahmalat stated.
Following accountable disclosure on July 3, 2023, the failings have been addressed in pfSense CE 2.7.1 and pfSense Plus 23.09 launched final month.
The event comes weeks after Sonar detailed a distant code execution flaw in Microsoft Visible Studio Code’s built-in integration of npm (CVE-2023-36742, CVSS rating: 7.8) that might be weaponized to execute arbitrary instructions. It was addressed by Microsoft as a part of its Patch Tuesday updates for September 2023.
