Critical XSS flaw in PfSense open source firewall; update now

Netgate Solutions announced the release of an update to fix a critical inter-site scripting vulnerability (XSS) impacting its PfSense solution, a FreeBSD-based open source offering for firewall routing and support under an Apache 2.0 license.

This flaw lies in the services_wol.php function of PfSense CE and PfSense PlusWebGUI was discovered by William Costa, researcher at security firm Fortinet and has been identified as CVE-2021-27933. The vulnerability was added to Full Disclosure on April 27. In this regard, Costa mentions that a threat actor trying to exploit the vulnerability could create a malicious payload designed to trigger the XSS condition and trick users with high privileges into executing the necessary exploit. 

Exploiting the flaw requires threat actors to inject code into the “Description” parameter of the vulnerable function, which can be done through the victim’s browser: “The page does not validate the contents of this field for Wake on LAN inputs, nor does it encode the output in the Wake All Devices function, which prints the value, which leads to the XSS condition”.

As many users will already know, XSS flaws can occur in multiple ways although their most common forms are stored and persistent conditions, including injecting malicious code into the target application.

Costa mentions that the flaw was testing in a tool designed for zero-day flaw detection. The expert began by analyzing PfSense for non-identified flaws: “In my analysis, it was possible to access the anti-CSRF token that can be used to create and execute other actions in PfSense, such as creating a new user.” Costa concludes by mentioning that more technical details of the attack will be published once the risk of exploitation is deemed to have been mitigated.

PfSense software versions 2.5.0 and earlier are affected, along with PfSense Plus software versions 21.02-p1 and earlier. The XSS flaw was recognized in the PfSense 2.5.1 and PfSense Plus 21.02.2 release notes, which contain a patch to mitigate the vulnerability. To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.