Date of Disclosure: October 2, 2024
Date added to CISA KEV: N/A
CVE-2024-46538 is a stored cross-site scripting (XSS) vulnerability identified in pfSense version 2.5.2. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the $pconfig variable within the interfaces_groups_edit.php file. The issue stems from insufficient input sanitization, which enables attackers to store a malicious payload that could later be activated.
A Proof of Concept (PoC) available on GitHub, created by EQSTLab, illustrates how this stored XSS vulnerability can be exploited in pfSense 2.5.2. When an administrator visits the vulnerable page containing the injected $pconfig payload, the JavaScript activates and triggers arbitrary command execution on the diag_command.php endpoint. This JavaScript can manipulate form data on diag_command.php, executing commands that may expose sensitive system information.
pfSense is an open-source firewall and router software, used by organizations to protect network boundaries. Some installations are directly exposed to the internet for remote access or network monitoring. In version 2.5.2, as with other pfSense versions, administrators might inadvertently expose the web interface, SSH, or other services on public-facing IP addresses, making it accessible (and potentially vulnerable) to external threats.
Exposed pfSense Web Portal
Field |
Details |
CVE-ID |
CVE-2024-46538 – CVSS 9.8 (Critical) assigned by VulnCheck |
Vulnerability Description |
A cross-site scripting (XSS) vulnerability in pfsense v2.5.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the $pconfig variable at interfaces_groups_edit.php. |
Date of Disclosure |
October 2, 2024 |
Affected Assets |
Crafted payloads injected into $pconfig variable at interfaces_groups_edit.php, triggering arbitrary command execution on the diag_command.php if the payload is activated. |
Vulnerable Software Versions |
Version 2.5.2 |
PoC Available? |
Yes, this repository from EQSTLab details how the vulnerability can be exploited. |
Exploitation Status |
At the time of writing, this CVE has not appeared on CISA’s list of known exploited vulnerabilities or in GreyNoise. |
Patch Status |
As of November 13, 2024, the most recent stable version is 2.7.2. This version includes security patches and improvements that address known vulnerabilities, including CVE-2024-46538. The latest stable version can be downloaded here. |
Censys Perspective
At the time of writing, Censys observed 225,681 exposed pfSense instances online, filtering out honeypots. A large proportion of these (22%) are geolocated in Russia and hosted in TIMEHOST-AS (ASN 212913), a datacenter and hosting provider. Note that not all of these are necessarily vulnerable, as specific device versions are not available.
Map of exposed pfSense Web Portal instances:
The chart below breaks down the top 10 countries with exposed devices.
Censys Search Query:
services.tls.certificates.leaf_data.issuer.common_name:”*pfSense*” or services.software: ((vendor=”pfSense” or vendor=”Netgate”) and product=”pfSense”) and not labels:{tarpit, honeypot}
Censys ASM Query:
host.services.tls.certificates.leaf_data.issuer.common_name:”*pfSense*” or ((host.services.software.vendor=”pfSense” or host.services.software.vendor=”Netgate”) and host.services.software.product=”pfSense”) and not host.labels:{tarpit, honeypot}
References