Recent pfSense CVEs CVE-2023-42325, CVE-2023-42326, or CVE-2023-42327

[utkonos]

I can see from the source code that CVE-2023-42325 can't affect OPNsense because that code doesn't exist in OPNsense. However, CVE-2023-42327 and CVE-2023-42326 are a bit less clear looking at the source code.

Is OPNsense affected by CVE-2023-42327 or CVE-2023-42326?

[MacLemon]

Adding some links for anyone's convenience in looking things up:

• Sonar: pfSense Security: Sensing Code Vulnerabilities with SonarCloud (original writeup on the vulnerability found in pfSense)
• Mitre: CVE-2023-42327: Cross Site Scripting (XSS)
• NIST: CVE-2023-42327 Detail CVSS3 Score: 5.4
• Mitre: CVE-2023-42326: Remote code execution (RCE)
• NIST: CVE-2023-42326 Detail CVSS3 Sore: 8.8
• pfSense-SA-23_10.webgui:Authenticated Command Execution in the WebGUI

For completeness:

• Mitre: CVE-2023-42325 another Cross Site Scripting (XSS) issue
• NIST: CVE-2023-42325 Detail CVSS3 Score: 5.4

[sharp-meet-57]

i am also wondering about this can someone please confirm or deny? what is the best way to stay up to date on opnsense security issues?

[AdSchellevis]

We only share a minimal amount of code these days, so usually it's safe to assume their issues don't automatically apply to us (and obviously vise-versa).

The "providers" file does look a bit similar today, but the same issue was fixed back in 2017 on our end [CVE-2023-42327] https://github.com/opnsense/core/commit/73e31caf87

Their commit hides the actual issue a bit, but it seemed to originated from https://github.com/pfsense/pfsense/blob/402c98a27ffe838a0938289b4eefe4431a972425/src/usr/local/www/getserviceproviders.php#L85

The other one is an escaping issue when passing to the shell if I've seen it correctly, but in these legacy pages we replaced most of these constructs to lower these risks over the years.

Don't expect us to deep dive future CVE's like this by the way as usually this is quite a waste of time. When in doubt about old code, we usually take a look (like the provider file), but 99% of the cases our code doesn't look like theirs (for good reasons I might add).

In reality most of these issues are only exploitable by a user you probably already trusted enough to offer an account, which makes a lot of these "rankings" a bit wonky in my humble opinion. Looking at CVE's scores these days sometimes feels the front door is wide open where in reality there are quite some prerequisites to match before an actual breach is possible.

Best regards,

Ad

[sharp-meet-57]

thanks 

[franco]

From the other two issues Ad doesn't directly mention one doesn't apply because old log pages are gone and the code execution.. well, that's pretty nasty and has been in the code forever. We've added escapes for this as early as 2015 and the GIF/GRE stuff cleanup was completed in 2022 fixing the last of the $greif/$gifif injections:

https://github.com/opnsense/core/commit/889420b652b

As a word of caution these unescaped bits are probably lingering in both pfSense and OPNsense still, but whenever we get to a subsystem we try to prevent it. That's why we wrote the mwexecf() and other *_safe() functions over the years which do proper escaping/shell formatting.


Cheers,
Franco