vulnerability
pfSense: pfSense-SA-22_03.webgui: Multiple vulnerabilities in the WebGUI
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:L/Au:S/C:C/I:C/A:C) | 2022-01-13 | 2022-10-18 | 2025-02-18 |
Description
The vpn_openvpn_server.php and vpn_openvpn_client.php pages in the pfSense Plus
and pfSense CE software GUI did not properly validate user input passed via the
data_ciphers parameter in certain cases. This problems is present on pfSense
Plus version 21.05.2, pfSense CE version 2.5.2, and earlier versions of both.
When the client or server mode was set to p2p_shared_key, the GUI did not
validate user input in the data_ciphers parameter but the backend code still
included the value of data_ciphers in the OpenVPN configuration. By passing
carefully crafted data including parameters which allow OpenVPN to execute
scripts, an attacker could execute arbitrary shell commands and read or write
arbitrary files.
NOTE: The Custom Options field on OpenVPN client and server configuration pages
also allows this type of action intentionally, but that field has a separate
privilege which can limit access to prevent users from altering its contents.
An authenticated attacker with access the to affected page, even without access
to the Custom Options field, could execute arbitrary shell commands, perform
privilege escalation, information disclosure, denial of service, or other
negative outcomes.
Solution
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.