pfSense and sensibility

A vulnerability in a plugin to the pfSense firewall is not as serious as its RCE classification implies, according to the developer of the technology

Security researchers from IHTeam have uncovered a serious vulnerability in a plugin to the pfSense firewall technology.

The affected pfBlockerNG plugin is not installed by default and the problem was, in any case, resolved by a software update published in June.

This is just as well because the underlying flaw created an unauthenticated remote code execution (RCE) as root risk on affected installations, according to IHTeam. The pfSense pfBlockerNG vulnerability is tracked as CVE-2022-31814.

Root cause analysis

pfSense is a firewall/router software distribution based on FreeBSD. The open source-based network firewall technology can be installed on bare metal or as a virtual appliance.

pfBlockerNG is a plugin component available within pfSense that is most often used to block inbound connections from whole countries or IP ranges. It is often used to block entire countries from communicating with networks running pfSense, according to researchers, who point out several factors that call particular attention to the problem.

“The vulnerability is a remote command execution exploitable from an unauthenticated perspective and, on top of that, the web server is running with root privileges,” a representation of IHTeam told The Daily Swig.

Read more of the latest network security news

Importantly, the vulnerability is limited to a plugin of pfSense that is not installed by default.

“It is difficult to say how many systems are affected without actively crawling each of the exposed system,” according to IHTeam.

Accordingly to Shodan, there are around 27,000 exposed pfSense machines on the internet. This should not be taken as any indication of the number of vulnerable systems since many will not be running the affected pfBlockerNG plugin, without considering that even vulnerable installations have likely been patched since the software was updated.

In response to a query from The Daily Swig, the developer of pfBlockerNG said: “The only version that was affected is version 2.1.4_26 and below. This has been patched and can be upgraded in pkg manager. pfBlockerNG-devel is unaffected and is the recommended version to use.”

Practical impact

Netgate, which distributes the pfSense firewall, added in response to a related query: “The problem they [the researchers] found was in the pfBlockerNG package but had already been addressed in the pfBlockerNG-devel [latest, cutting edge version of the] package, which is the version the package maintainer recommends everyone use.”

Netgate stated that for the problem to become exposed “requires access to the web server on the firewall (which should never be open on WAN and is often restricted internally when configured per best practices), the overall practical impact was considered extremely low despite it having a high score in theory.”

IHTeam said that developers are still shipping and allowing users to install between the 2.x branch and the 3.x branch (the -development one).

“The misunderstanding can be easily resolved it they would simply remove the 2.x branch from the available plugin list,” the researchers added.

IHTeam came across the vulnerability in pfBlockerNG during an independent security assessment of what turned out to be a vulnerable version of the product. A technical write-up of the issue was published in a blog post by IHTeam on Monday (September 5).

Dev lessons

A researcher from IHTeam, who asked not to be named, told The Daily Swig that the characteristics of the bug offered lessons for other software developers.

The researcher explained: “To avoid these types of vulnerabilities, developers should take extra care while handling user input (not only via direct GET and POST requests, but also via input that might be passed in request headers such as Cookies, Host or User-Agent).

“All user input should be carefully analysed and sanitised before being passed to the application. This is also valid for other types of attacks such as cross-site scripting (XSS) or SQL injection, not only for command execution,” they added.

RELATED WatchGuard firewall exploit threatens appliance takeover