OPNsense Firewall Flaws Let Attackers Employ XSS to Escalate Privileges

OPNsense is a firewall and routing platform that is based on FreeBSD. It is open-source, making it freely available for use.

Additionally, OPNsense is designed to be user-friendly, with a straightforward interface and simple installation process. Furthermore, it offers the flexibility to customize and tailor to specific needs.

As of its debut in January 2015, it is a fork of pfSense. In addition to its firewall functionality, OPNsense also offers traffic shaping, load balancing, and VPN services, with even more features available via plugins.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Multiple OPNsense Firewall Flaws

The identified vulnerability is located within the OPNsense dashboard, which serves as a graphical user interface presenting various widgets. These widgets provide users with real-time information regarding the system, including running services, gateways, and other relevant data.

The server stores and retrieves the order of the widgets for users, ensuring that it remains unmodified during each visit.

The potential for abuse arises when a user with limited privileges exploits this vulnerability to inject unauthorized content, thereby initiating a cross-site scripting (XSS) attack that can escalate privileges.

Multiple instances of Stored Cross-Site Scripting (XSS) were discovered in the OPNsense Dashboard by X41 D-Sec experts. These vulnerabilities arise due to the inadequate escaping of the column_count and sequence parameters.

To fix this, “The OPNsense developers did apply a Content-Security-Policy, but unfortunately allow unsafe-inline and unsafe-eval for scripts, which does not prevent the exploitation of this vulnerability,” reads the X41 D-Sec report.

As a workaround, researchers recommend removing all effective privileges for /index.php* of low-privilege users..

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.