A severe cross-site scripting (XSS) vulnerability impacting pfSense software has been patched by the vendor.
Netgate solutions’ pfSense software is an open source offering based on FreeBSD for firewalling and routing, made available under an Apache 2.0 license.
Products include pfSense Community Edition (CE) and the more advanced pfSense Plus, formerly known as pfSense Factory Edition (FE).
Vulnerability
The XSS flaw, found in the services_wol.php function of the pfSense CE and pfSense Plus software WebGUI, was discovered and reported by Fortinet Systems Engineer William Costa.
Tracked as CVE-2021-27933, the vulnerability was added to Full Disclosure on April 27.
Speaking to The Daily Swig, Costa said that an attack leveraging the vulnerability could allow attackers to create a malicious payload designed to trigger a stored XSS and lure a privileged user into executing the exploit, leading to application compromise.
To exploit the bug, an attacker would need to inject code into the ‘Description’ parameter of the function. As there is a lack of proper encoding, malicious JavaScript could then be executed in a victim’s browser.
“The page did not validate the contents of the Description field for Wake on LAN entries, nor did it encode the output when using the ‘Wake All Devices’ function which prints this value, leading to a possible XSS,” the security advisory reads.
XSS vulnerabilities come in a variety of flavors, some of the most severe being stored and persistent XSS, in which malicious code is injected into a target application and input is stored.
These bugs are used to manipulate browser sessions, circumvent same origin policies, and can be exploited by attackers in a variety of scenarios including impersonating users, phishing, malicious payloads deployment, the theft of credentials and user data, and potentially the full hijack of a vulnerable application when a victim has high levels of privilege.
Costa said the vulnerability was found as he conducted tests on a tool designed to scan for zero-day vulnerabilities.
The engineer first explored PfSense for the existence of unknown bugs, found the XSS issue, and then applied the tool to see if the same vulnerability would be found (ironically, the tool failed).
“In my test, [it] was possible [to] access the anti-CSRF token, that can [be] used [to] create and execute another action in PfSense, like creat[ing] a new user,” Costa added.
Patch
PfSense software versions 2.5.0 and below are impacted, alongside pfSense Plus software versions 21.02-p1 and below.
The XSS flaw was acknowledged in release notes for pfSense 2.5.1 and pfSense Plus 21.02.2, which both contain a patch for the bug.
The Daily Swig has reached out to the pfSense team and we will update when we hear back.
Source: https://portswigger.net/daily-swig/stored-xss-vulnerability-patched-in-open-source-firewall-pfsense
