Recently, researchers found that more than 1,000 Pfsense devices** with serious vulnerabilities around the world were exposed and exposed to the risk of attack.
PFSaic is a popular open-source firewall solution from Netgate, based on FreeBSD, which can be installed on a physical computer or virtual machine, and can act as a stand-alone firewall and router in the network. NetGate offers two versions: Pfsense Plus (paid version) and Pfsense CE (free community version).
With its support for high customization and flexible deployment, PFSsense is very popular in the enterprise market because it can quickly meet specific needs, provides basic functionality common in expensive commercial firewall products, and is easy to use (providing a web configuration management interface), and is often used by enterprises as a cost-effective firewall solution.
Three vulnerabilities could be exploited in combination to execute arbitrary commands
In mid-November, security researchers at SonarSource disclosed PFSENSE CE 27.0 and earlier versions as well as pfsenseplus 2305.01 and earlier versions of the vulnerability (two cross-site scripting and one command injection vulnerability), vulnerability CVE ID: CVE-2023-42325 (XSS), CVE-2023-42327 (XSS), and CVE-2023-42326 (command injection).
Recently, researchers used Shodan scans to find that 1,450 exposed Pfsense instances around the world still have the above-mentioned command injection and cross-site scripting vulnerabilities, which can be combined by attackers to execute remote ** on the device.
The geographical distribution of exposed instances is as follows:
Brazil 358.
196 in the United States.
Russia 92.
France 87.
54 in Malaysia.
Italy 52.
40 in Germany.
39 in Vietnam.
37 in Taiwan, China.
Indonesia 36.
Of the three vulnerabilities disclosed, the XSS vulnerability requires user action to function, and the command injection vulnerability is more severe (CVSS score 8.).8)。The vulnerability exists in Pfsense's web UI because the shell commands it uses to configure the network interface do not apply the proper security validation. An attacker can inject other commands into the GIFIF network interface parameters to execute arbitrary commands with root privilege.
In order for this vulnerability to work, an attacker would also need access to an account with interface editing privileges, so cross-site scripting vulnerabilities would need to be combined to carry out the attack.
Two cross-site scripting vulnerabilities (CVE-2023-42325, CVE-2023-42327) could be used to execute malicious j**ascript in an authenticated user's browser in order to gain control of their Pfsense session.
Ninety percent of exposed instances still have no security fixes
On July 03, 2023, three vulnerabilities were reported by Netgate, a leading provider of pfsense, and on November 6, 2023 (pfsenseplus 2309) and November 16 (Pfsense CE 27.1) Released a security update to address these vulnerabilities.
However, a month after Netgate provided the patch, more than ninety percent of PfSense exposed instances are still vulnerable.
The Saudan scan results provided by Sonarsource's researchers showed that out of 1,569 instances of PFsense exposed to the internet, 1,450 instances (92.)4%) are susceptible to the above vulnerabilities, 42 of which run Pfsense Plus 2309, another 77 running pfsense ce 27.1。
The researchers noted that exposure of a vulnerable instance does not mean that it will be immediately attacked (since the attacker needs to target the victim of the XSS vulnerability first), but this exposure will provide an important attack surface for the attacker.
While the number of vulnerable endpoints represents only a small fraction of global Pfsense deployments, the current situation is particularly dangerous given the frequent use of the software by large enterprises.
Attackers with advanced access to PfSense can easily cause data breaches, access sensitive internal corporate resources, and move laterally within the compromised network.
Reference Links: