Over 1,450 pfSense Servers Vulnerable to Remote Code Execution Attacks Due to Multiple Bugs

December 12, 2023

Approximately 1,450 instances of pfSense, a widely used open-source firewall and router software, are currently exposed to potential remote code execution (RCE) attacks. This vulnerability is due to a chain of bugs that include command injection and cross-site scripting (XSS) flaws. If these vulnerabilities are exploited in conjunction, attackers could potentially execute arbitrary code on the affected appliance.

pfSense is a popular choice among users because of its extensive customization capabilities and deployment flexibility. It offers a range of features typically found in high-cost commercial products, making it a cost-effective solution for many.

In mid-November, researchers from SonarSource, using their SonarCloud solution, identified three vulnerabilities affecting pfSense 2.7.0 and older, as well as pfSense Plus 23.05.01 and older. These vulnerabilities have been assigned the identifiers CVE-2023-42325 (XSS), CVE-2023-42327 (XSS), and CVE-2023-42326 (command injection).

The reflected XSS vulnerabilities require user action to be exploited, but the command injection vulnerability, with a CVSS score of 8.8, is more severe. This vulnerability stems from the pfSense web UI, where shell commands are constructed from user-provided data for configuring network interfaces without proper validation. The 'gifif' network interface parameter is affected, as it is not checked for safe values, allowing threat actors to inject additional commands into the parameter, leading to their execution with root privileges.

To exploit this vulnerability, an attacker would require access to an account with interface editing permissions. This necessitates the chaining of the vulnerabilities for a more potent attack. Either CVE-2023-42325 or CVE-2023-42327 could be used to execute malicious JavaScript in an authenticated user's browser to gain control over their pfSense session.

Netgate, the vendor of pfSense, was informed about these vulnerabilities on July 3, 2023, and released security updates addressing them on November 6 (for pfSense Plus 23.09) and November 16 (for pfSense CE 2.7.1). Despite these patches being available for over a month, nearly 1,500 pfSense instances remain vulnerable.

A scan conducted by the researchers revealed that out of 1,569 internet-exposed pfSense instances, 42 use pfSense Plus 23.09, and another 77 run pfSense Community Edition 2.7.1. This means that 1,450 instances (or 92.4% of the total), which can be discovered directly through Shodan, are still vulnerable to the mentioned flaws.

While this exposure doesn't mean these instances can be immediately compromised, as threat actors would first need to exploit the XSS flaws, it does create a significant attack surface. Although the number of vulnerable endpoints is a small fraction of global pfSense deployments, the fact that many large enterprises use this software makes this situation particularly concerning. An attacker with access to pfSense operating with high-level privileges could potentially cause data breaches, gain access to sensitive internal resources, and move laterally within the compromised network.

Latest News

• Russian APT29 Hackers Exploiting TeamCity Servers Since September: CISA
• Critical Apache Struts Vulnerability Targeted by Hackers Using Public Proof-of-Concept
• Sophos Backports Critical Vulnerability Fix for EOL Firewall Firmware
• Microsoft's December 2023 Patch Tuesday Addresses 34 Vulnerabilities, Including an AMD Zero-Day
• Critical RCE Vulnerability in WordPress Backup Migration Plug-in Puts Thousands of Websites at Risk