CVE-2017-1000479
published 2018-01-03CVE-2017-1000479: pfSense versions 2.4.1 and lower are vulnerable to clickjacking attacks in the CSRF error page resulting in privileged execution of arbitrary code, because the…
PriorityP268high8.8CVSS 3.0
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
32.77%
98.1th percentile
pfSense versions 2.4.1 and lower are vulnerable to clickjacking attacks in the CSRF error page resulting in privileged execution of arbitrary code, because the error detection occurs before an X-Frame-Options header is set. This is fixed in 2.4.2-RELEASE. OPNsense, a 2015 fork of pfSense, was not vulnerable since version 16.1.16 released on June 06, 2016. The unprotected web form was removed from the code during an internal security audit under "possibly insecure" suspicions.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netgate | pfsense | <= 2.4.1 | — |
| opnsense_project | opnsense | < 16.1.16 | 16.1.16 |
Detection & IOCsextracted from sources · hover to see the quote
- →Target application is pfSense WebGUI running as root; look for unexpected iframe embedding of pfSense admin pages, which would indicate a clickjacking attempt against the CSRF error page ↗
- →Absence of X-Frame-Options header in HTTP responses from pfSense WebGUI (versions <= 2.4.1) is a key indicator of a vulnerable instance; monitor for responses lacking this header from pfSense admin interfaces ↗
- →Metasploit module unix/http/pfsense_clickjacking targets pfSense <= 2.4.1; presence of this module in use against a pfSense host is a strong indicator of exploitation activity ↗
- ·OPNsense (a 2015 fork of pfSense) is NOT vulnerable as of version 16.1.16 (released June 06, 2016); do not apply pfSense-specific detections to OPNsense instances at or above that version ↗
- ·Exploitation requires an authenticated admin to interact with a specially crafted webpage; this is not a remote unauthenticated exploit — a social engineering or phishing component is required ↗
- ·Successful exploitation results in full root-level compromise of the pfSense instance, not just WebGUI access ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2017/11/22/7https://doc.pfsense.org/index.php/2.4.2_New_Features_and_Changeshttps://github.com/opnsense/core/commit/d218b225https://github.com/pfsense/pfsense/commit/386d89b07https://www.netgate.com/blog/pfsense-2-4-2-release-p1-and-2-3-5-release-p1-now-available.htmlhttps://www.securify.nl/en/advisory/SFY20171101/clickjacking-vulnerability-in-csrf-error-page-pfsense.htmlhttp://www.openwall.com/lists/oss-security/2017/11/22/7https://doc.pfsense.org/index.php/2.4.2_New_Features_and_Changeshttps://github.com/opnsense/core/commit/d218b225https://github.com/pfsense/pfsense/commit/386d89b07https://www.netgate.com/blog/pfsense-2-4-2-release-p1-and-2-3-5-release-p1-now-available.htmlhttps://www.securify.nl/en/advisory/SFY20171101/clickjacking-vulnerability-in-csrf-error-page-pfsense.html
2018-01-03
Published