Recent security assessments have uncovered multiple critical vulnerabilities in pfSense firewall software, potentially allowing authenticated attackers to inject malicious code, manipulate cloud backups, and achieve remote code execution. These vulnerabilities affect both pfSense Community Edition (CE) versions prior to 2.8.0 beta and corresponding pfSense Plus builds.
Overview of Identified Vulnerabilities
The identified vulnerabilities, designated as CVE-2024-57273, CVE-2024-54780, and CVE-2024-54779, exploit weaknesses in the Automatic Configuration Backup (ACB) service, OpenVPN widget, and dashboard widgets, respectively.
1. Exploiting Cloud Backups via SSH Key Derivation (CVE-2024-57273)
CVE-2024-57273 targets the ACB service, enabling attackers to hijack cloud backup keys. This flaw could lead to the deletion of backups, stored cross-site scripting (XSS) attacks, and information leakage.
Conditions for Exploitation:
– An accessible SSH server
– ACB configured on the firewall
The vulnerability arises from the derivation of the API key for cloud backups from the public SSH key located at `/etc/ssh/ssh_host_ed25519_key.pub`. As noted by security researchers, this method makes it straightforward for an attacker to derive the key, potentially allowing them to delete or poison cloud backups.
Example of Exploitation:
An attacker can inject JavaScript code into the reason field of backups. When an administrator views the backup list, this malicious code executes in their browser, leading to potential security breaches.
2. OpenVPN Command Injection (CVE-2024-54780)
CVE-2024-54780 involves command injection in the OpenVPN widget. This authenticated vulnerability allows attackers to inject arbitrary OpenVPN management commands via the unsanitized `remipp` parameter.
Technical Details:
The vulnerability exists because user inputs are passed directly to the OpenVPN management interface without proper sanitization. An attacker can inject a newline character followed by another command, such as `remipp=5%0Astatus`, resulting in multiple commands being executed.
3. XML Injection via Dashboard Widgets (CVE-2024-54779)
CVE-2024-54779 allows XML injection in dashboard widgets through the `widgetkey` parameter. This can lead to configuration file corruption and persistent XSS attacks.
Technical Details:
The vulnerable code directly incorporates the `widgetkey` value into XML structures without sanitization. In a worst-case scenario, this can prevent the firewall from bootstrapping properly, causing a denial of service.
Impact and Severity
The table below summarizes the impact, prerequisites, and severity of each vulnerability:
| CVE Identifier | Affected Products | Impact | Exploit Prerequisites | CVSS 3.1 Score |
|—————-|——————-|——–|———————–|—————-|
| CVE-2024-57273 | pfSense CE (prior to 2.8.0 beta) and pfSense Plus builds | Stored XSS in ACB service, backup deletion, and information leakage | Accessible SSH server + ACB configuration enabled | 5.4 (Medium) |
| CVE-2024-54780 | pfSense CE (prior to 2.8.0 beta) and pfSense Plus builds | Arbitrary command execution via OpenVPN management interface | Authenticated access to dashboard with OpenVPN widget privileges | 8.8 (High) |
| CVE-2024-54779 | pfSense CE (prior to 2.8.0 beta) and pfSense Plus builds | XML injection causing configuration corruption and persistent XSS | Authenticated access to dashboard widget configuration | 5.4 (Medium) |
Mitigation Measures
Netgate, the company behind pfSense, has addressed these issues in the upcoming pfSense Plus 25.03 and CE 2.8.0 releases. Additionally, they have published fixes for current versions pfSense Plus 24.11 and CE 2.7.2 through the System Patches Package.
Available Patches Address:
– Multiple XSS vulnerabilities in Dashboard widgets
– OpenVPN command injection vulnerabilities
– XML injection issues in dashboard widgets
Recommendations for Users
Users are strongly advised to:
– Update to the latest patched versions of pfSense to mitigate these vulnerabilities.
– Review firewall configurations to ensure that unnecessary services are disabled.
– Implement defense-in-depth strategies to reduce exposure to potential attacks.
Conclusion
The discovery of these vulnerabilities underscores the critical importance of regular security audits and prompt patching in firewall software. By addressing these issues promptly, organizations can protect their networks from potential exploitation and maintain robust security postures.
