pfSense opensource firewall servers exposed to attacks via chaining vulnerabilities

Nearly 1,500 pfSense firewall servers are reported to be at risk of Remote Code Execution (RCE) attacks due to a series of vulnerabilities. pfSense is a widely-used open-source firewall and router software known for its flexibility and feature-rich platform comparable to costly commercial alternatives.

Researchers from SonarSource identified three critical vulnerabilities affecting versions pfSense 2.7.0 and earlier, as well as pfSense Plus 23.05.01 and earlier. These vulnerabilities are tracked as CVE-2023-42325 (CVSS score 5.4) and CVE-2023-42327 (CVSS score 5.4) , both related to cross-site scripting (XSS), and CVE-2023-42326 (CVSS score 8.8), a command injection flaw. The command injection vulnerability, arises from inadequate validation in the web UI of pfSense, specifically in the handling of the "gifif" network interface parameter. This oversight allows attackers to inject and execute commands with root privileges, provided they have access to an account with interface editing permissions.

The XSS flaws, while requiring user interaction to be exploited, can be chained with the command injection flaw to initiate a more potent attack. This would involve using either of the XSS vulnerabilities to run malicious JavaScript in an authenticated user's browser, thus gaining control of their pfSense session.

Netgate, the company behind pfSense, was notified about these flaws on July 3, 2023. They subsequently released updates to address these issues on November 6 (for pfSense Plus 23.09) and November 16 (for pfSense CE 2.7.1). Despite these patches being available for a month, a large number of pfSense instances, around 1,450 or 92.4% of the 1,569 internet-exposed instances identified by SonarSource through Shodan scans, remain unpatched and vulnerable.