Over 1,450 pfSense Servers Exposed to RCE Attacks Via Bug Chain

Cyber Security Threat Summary:
In mid-November, researchers at SonarCloud uncovered three flaws in pfSense, a popular open-source firewall and software, which if chained together can allow actors to execute code remotely on targeted appliances. The three flaws impact pfSense 2.7.0 and older and pfSense Plus 23.05.01 and older and are being tracked as CVE-2023-42325 (XSS), CVE-2023-42327 (XSS), and CVE-2023-42326 (command injection). Despite patches being released, over 1450 pfSense servers remain unpatched and exposed to the internet, the majority of those residing in Brazil (358), followed by the United States (196) and Russia (92).

Security Officer Comments:
CVE-2023-42326 is the most severe of the issues and arises from shell commands being constructed from user-provided data for configuring network interfaces without applying proper validation. Researchers note admin privileges are required to configure these interface parameters. Hence before abusing this exploit, the actors would first need to leverage either CVE-2023-42325 or CVE-2023-42327 to execute malicious JavaScript in an authenticated user’s browser to further gain control over their pfSense session. In a hypothetical situation, an actor can trick an authenticated pfSense user into clicking on a maliciously crafted link containing an XSS payload that exploits the command injection vulnerability.

Suggested Correction(s):
Actors with access to a privileged account could abuse the exploit chain to access sensitive internal resources and move laterally across the network. Given large enterprises use pfSense, attacks of this nature can be dangerous, highlighting the need for organizations to update their appliances as soon as possible.