Cross-site scripting: vulnerabilities in pfSense enable admin cookie theft
The open source firewall pfSense has several holes through which attackers can inject their own Javascript code. Updates are available.
(Bild: asharkyu/Shutterstock.com)
Security researchers have discovered several vulnerabilities in the web administration interface of the pfSense open source firewall that enable cross-site scripting (XSS), i.e. the injection of JavaScript code by attackers. In addition, users with certain access rights can execute their own PHP code on the firewall. The pfSense team has patched the vulnerabilities in both the Community Edition (CE) and the commercial version "pfSense Plus" and is providing updates.
In four security reports, Netgate, the company behind pfSense and its commercial variants, describes three different XSS vulnerabilities and a "Local File Inclusion" in the firewall's web GUI. None of the vulnerabilities have received a CVE ID or a CVSS score.
The most dangerous vulnerability was caught by pfSense via a jQuery plugin called "treegrid". This provides files in its code tree that are intended for unit tests, but have made it into the software delivered to users by pfSense. In these script files –, which are also accessible to users who are not logged in and have network access to the firewall –, parameters are not sufficiently checked. Attackers could use the resulting cross-site scripting to attempt to steal the admin cookie or remotely control the firewall administrator's browser. The editorial team estimates the severity of the vulnerability at 9.6(critical), while the BSI comes to a somewhat more conservative value of 8.8 (high) in its warning message.
Another, less dangerous XSS vulnerability in the web-based administration interface can only be exploited by logged-in users, while the third can only be exploited by firewall administrators.
The fourth vulnerability, which allows the inclusion and thus execution of arbitrary locally stored PHP files, can also only be addressed by logged-in users, who must also have access to the DNS resolver integrated in pfSense and to the firewall's file system. If these conditions are met, they can prepare a PHP file in such a way that pfSense executes it.
All four vulnerabilities are included in pfSense Plus versions prior to 23.09.1 and have been fixed with pfSense Plus 24.03. Users of the "Community Edition" are affected if they are using version 2.7.2 or earlier – an upgrade to 2.8.0 fixes the bugs.
Firewall software under constant attack
Firewall manufacturers have been confronted with massive security vulnerabilities for years, which are exploited by specialized attackers for far-reaching attacks. Yesterday, April 24, Cisco reported backdoor software in its ASA appliances, last week it was Palo Alto 's turn and FortiNet firewalls also recently had problems with admin cookie theft.
(cku)
