{"id":4074,"date":"2025-05-20T10:03:47","date_gmt":"2025-05-20T10:03:47","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/05\/20\/multiple-pfsense-firewall-vulnerabilities-let-attackers-inject-malicious-codes\/"},"modified":"2025-05-20T10:03:47","modified_gmt":"2025-05-20T10:03:47","slug":"multiple-pfsense-firewall-vulnerabilities-let-attackers-inject-malicious-codes","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/05\/20\/multiple-pfsense-firewall-vulnerabilities-let-attackers-inject-malicious-codes\/","title":{"rendered":"Multiple pfSense Firewall Vulnerabilities Let Attackers Inject Malicious Codes"},"content":{"rendered":"

Multiple pfSense Firewall Vulnerabilities Let Attackers Inject Malicious Codes
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Three critical vulnerabilities in pfSense firewall software that could allow authenticated attackers to inject malicious code, manipulate cloud backups<\/a>, and potentially achieve remote code execution.\u00a0<\/p>\n

The vulnerabilities affect both pfSense Community Edition (CE) prior to version 2.8.0 beta and corresponding pfSense Plus builds.<\/p>\n

These flaws, CVE-2024-57273, CVE-2024-54780, and CVE-2024-54779, exploit weaknesses in the Automatic Configuration Backup (ACB) service, OpenVPN widget, and dashboard widgets.<\/p>\n

Exploiting Cloud Backups via SSH Key Derivation (CVE-2024-57273)<\/strong><\/h2>\n

The first vulnerability, CVE-2024-57273, affects the Automatic Configuration Backup (ACB) service and enables attackers to hijack cloud backup keys.\u00a0<\/p>\n

This flaw could lead to deletion of backups, stored cross-site scripting (XSS)<\/a> attacks, and information leakage.<\/p>\n

The exploitation of CVE-2024-57273 requires two conditions: an accessible SSH server and ACB configured on the firewall.\u00a0<\/p>\n

The vulnerability stems from how the API key for cloud backups is derived from the public SSH key in \/etc\/ssh\/ssh_host_ed25519_key.pub. As noted in the researcher\u2019s blog, \u201cit is easy for someone to derive the key and delete your cloud backups or poison them\u201d.<\/p>\n

A particularly concerning example shows how attackers can inject JavaScript code into the \u201creason\u201d field of backups:<\/p>\n

\n
\"\"<\/figure>\n<\/div>\n

When an administrator views the backup list, this malicious code executes in their browser.<\/p>\n

OpenVPN Command Injection (CVE-2024-54780)<\/strong><\/h2>\n

The second vulnerability, CVE-2024-54780, involves command injection in the OpenVPN widget.\u00a0<\/p>\n

This authenticated vulnerability allows attackers to inject arbitrary OpenVPN management commands via the unsanitized remipp parameter.\u00a0<\/p>\n

The vulnerability exists because user inputs are passed directly to the OpenVPN management interface without proper sanitization:<\/p>\n

\n
\"\"<\/figure>\n<\/div>\n

An attacker can inject a newline character followed by another command, such as remipp=5%0Astatus, resulting in two commands being executed.<\/p>\n

XML Injection via Dashboard Widgets (CVE-2024-54779)<\/strong><\/h2>\n

The third vulnerability, CVE-2024-54779, allows XML injection<\/a> in dashboard widgets through the widgetkey parameter. This can lead to configuration file corruption and persistent XSS attacks.\u00a0<\/p>\n

The vulnerable code directly incorporates the widgetkey value into XML structures without sanitization:<\/p>\n

\n
\"\"<\/figure>\n<\/div>\n

In a worst-case scenario, this can prevent the firewall from bootstrapping properly, causing a denial of service.<\/p>\n

\n\n\n\n\n\n\n
CVEs<\/strong><\/td>\nAffected Products<\/strong><\/td>\nImpact<\/strong><\/td>\nExploit Prerequisites<\/strong><\/td>\nCVSS 3.1 Score<\/strong><\/td>\n<\/tr>\n
CVE-2024-57273<\/td>\npfSense CE (prior to 2.8.0 beta) and pfSense Plus builds<\/td>\nStored XSS in ACB service, backup deletion, and information leakage\u00a0<\/td>\nAccessible SSH server + ACB configuration enabled\u00a0<\/td>\n5.4 (Medium)<\/td>\n<\/tr>\n
CVE-2024-54780<\/td>\npfSense CE (prior to 2.8.0 beta) and pfSense Plus builds<\/td>\nArbitrary command execution via OpenVPN management interface\u00a0<\/td>\nAuthenticated access to dashboard with OpenVPN widget privileges\u00a0<\/td>\n8.8 (High)\n<\/td>\n<\/tr>\n
CVE-2024-54779<\/td>\npfSense CE (prior to 2.8.0 beta) and pfSense Plus builds<\/td>\nXML injection causing configuration corruption and persistent XSS\u00a0<\/td>\nAuthenticated access to dashboard widget configuration\u00a0<\/td>\n5.4 (Medium)\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Mitigations<\/strong><\/h2>\n

Netgate, the company behind pfSense, has addressed these issues in the upcoming pfSense Plus 25.03 and CE 2.8.0 releases.\u00a0<\/p>\n

Through the System Patches Package, they have also published fixes for current versions pfSense Plus 24.11 and CE 2.7.2.<\/p>\n

Available patches address multiple problems, including:<\/p>\n