Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
Recent pfSense CVEs CVE-2023-42325, CVE-2023-42326, or CVE-2023-42327
« previous
next »
Print
Pages: [
1
]
Author
Topic: Recent pfSense CVEs CVE-2023-42325, CVE-2023-42326, or CVE-2023-42327 (Read 2793 times)
utkonos
Newbie
Posts: 32
Karma: 3
Recent pfSense CVEs CVE-2023-42325, CVE-2023-42326, or CVE-2023-42327
«
on:
December 14, 2023, 10:57:00 pm »
I can see from the source code that CVE-2023-42325 can't affect OPNsense because that code doesn't exist in OPNsense. However, CVE-2023-42327 and CVE-2023-42326 are a bit less clear looking at the source code.
Is OPNsense affected by CVE-2023-42327 or CVE-2023-42326?
Logged
MacLemon
Newbie
Posts: 7
Karma: 1
Re: Recent pfSense CVEs CVE-2023-42325, CVE-2023-42326, or CVE-2023-42327
«
Reply #1 on:
December 14, 2023, 11:37:00 pm »
Adding some links for anyone's convenience in looking things up:
Sonar:
pfSense Security: Sensing Code Vulnerabilities with SonarCloud
(original writeup on the vulnerability found in pfSense)
Mitre:
CVE-2023-42327
: Cross Site Scripting (XSS)
NIST:
CVE-2023-42327 Detail
CVSS3 Score: 5.4
Mitre:
CVE-2023-42326
: Remote code execution (RCE)
NIST:
CVE-2023-42326 Detail
CVSS3 Sore: 8.8
pfSense-SA-23_10.webgui:
Authenticated Command Execution in the WebGUI
For completeness:
Mitre:
CVE-2023-42325
another Cross Site Scripting (XSS) issue
NIST:
CVE-2023-42325 Detail
CVSS3 Score: 5.4
Logged
sharp-meet-57
Newbie
Posts: 2
Karma: 0
Re: Recent pfSense CVEs CVE-2023-42325, CVE-2023-42326, or CVE-2023-42327
«
Reply #2 on:
December 17, 2023, 10:53:59 am »
i am also wondering about this can someone please confirm or deny? what is the best way to stay up to date on opnsense security issues?
Logged
AdSchellevis
Administrator
Hero Member
Posts: 907
Karma: 184
Re: Recent pfSense CVEs CVE-2023-42325, CVE-2023-42326, or CVE-2023-42327
«
Reply #3 on:
December 17, 2023, 07:05:03 pm »
We only share a minimal amount of code these days, so usually it's safe to assume their issues don't automatically apply to us (and obviously vise-versa).
The "providers" file does look a bit similar today, but the same issue was fixed back in 2017 on our end [CVE-2023-42327]
https://github.com/opnsense/core/commit/73e31caf87
Their commit hides the actual issue a bit, but it seemed to originated from
https://github.com/pfsense/pfsense/blob/402c98a27ffe838a0938289b4eefe4431a972425/src/usr/local/www/getserviceproviders.php#L85
The other one is an escaping issue when passing to the shell if I've seen it correctly, but in these legacy pages we replaced most of these constructs to lower these risks over the years.
Don't expect us to deep dive future CVE's like this by the way as usually this is quite a waste of time. When in doubt about old code, we usually take a look (like the provider file), but 99% of the cases our code doesn't look like theirs (for good reasons I might add).
In reality most of these issues are only exploitable by a user you probably already trusted enough to offer an account, which makes a lot of these "rankings" a bit wonky in my humble opinion. Looking at CVE's scores these days sometimes feels the front door is wide open where in reality there are quite some prerequisites to match before an actual breach is possible.
Best regards,
Ad
Logged
sharp-meet-57
Newbie
Posts: 2
Karma: 0
Re: Recent pfSense CVEs CVE-2023-42325, CVE-2023-42326, or CVE-2023-42327
«
Reply #4 on:
December 19, 2023, 10:37:26 am »
thanks
Logged
franco
Administrator
Hero Member
Posts: 17668
Karma: 1611
Re: Recent pfSense CVEs CVE-2023-42325, CVE-2023-42326, or CVE-2023-42327
«
Reply #5 on:
December 19, 2023, 10:57:54 am »
From the other two issues Ad doesn't directly mention one doesn't apply because old log pages are gone and the code execution.. well, that's pretty nasty and has been in the code forever. We've added escapes for this as early as 2015 and the GIF/GRE stuff cleanup was completed in 2022 fixing the last of the $greif/$gifif injections:
https://github.com/opnsense/core/commit/889420b652b
As a word of caution these unescaped bits are probably lingering in both pfSense and OPNsense still, but whenever we get to a subsystem we try to prevent it. That's why we wrote the mwexecf() and other *_safe() functions over the years which do proper escaping/shell formatting.
Cheers,
Franco
«
Last Edit: December 19, 2023, 11:00:11 am by franco
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
Recent pfSense CVEs CVE-2023-42325, CVE-2023-42326, or CVE-2023-42327