Three critical vulnerabilities in pfSense firewall software that could allow authenticated attackers to inject malicious code, manipulate cloud backups, and potentially achieve remote code execution.
The vulnerabilities affect both pfSense Community Edition (CE) prior to version 2.8.0 beta and corresponding pfSense Plus builds.
These flaws, CVE-2024-57273, CVE-2024-54780, and CVE-2024-54779, exploit weaknesses in the Automatic Configuration Backup (ACB) service, OpenVPN widget, and dashboard widgets.
.png
)
Exploiting Cloud Backups via SSH Key Derivation (CVE-2024-57273)
The first vulnerability, CVE-2024-57273, affects the Automatic Configuration Backup (ACB) service and enables attackers to hijack cloud backup keys.
This flaw could lead to deletion of backups, stored cross-site scripting (XSS) attacks, and information leakage.
The exploitation of CVE-2024-57273 requires two conditions: an accessible SSH server and ACB configured on the firewall.
The vulnerability stems from how the API key for cloud backups is derived from the public SSH key in /etc/ssh/ssh_host_ed25519_key.pub. As noted in the researcher’s blog, “it is easy for someone to derive the key and delete your cloud backups or poison them”.
A particularly concerning example shows how attackers can inject JavaScript code into the “reason” field of backups:
When an administrator views the backup list, this malicious code executes in their browser.
OpenVPN Command Injection (CVE-2024-54780)
The second vulnerability, CVE-2024-54780, involves command injection in the OpenVPN widget.
This authenticated vulnerability allows attackers to inject arbitrary OpenVPN management commands via the unsanitized remipp parameter.
The vulnerability exists because user inputs are passed directly to the OpenVPN management interface without proper sanitization:
An attacker can inject a newline character followed by another command, such as remipp=5%0Astatus, resulting in two commands being executed.
XML Injection via Dashboard Widgets (CVE-2024-54779)
The third vulnerability, CVE-2024-54779, allows XML injection in dashboard widgets through the widgetkey parameter. This can lead to configuration file corruption and persistent XSS attacks.
The vulnerable code directly incorporates the widgetkey value into XML structures without sanitization:
In a worst-case scenario, this can prevent the firewall from bootstrapping properly, causing a denial of service.
| CVEs | Affected Products | Impact | Exploit Prerequisites | CVSS 3.1 Score |
| CVE-2024-57273 | pfSense CE (prior to 2.8.0 beta) and pfSense Plus builds | Stored XSS in ACB service, backup deletion, and information leakage | Accessible SSH server + ACB configuration enabled | 5.4 (Medium) |
| CVE-2024-54780 | pfSense CE (prior to 2.8.0 beta) and pfSense Plus builds | Arbitrary command execution via OpenVPN management interface | Authenticated access to dashboard with OpenVPN widget privileges | 8.8 (High) |
| CVE-2024-54779 | pfSense CE (prior to 2.8.0 beta) and pfSense Plus builds | XML injection causing configuration corruption and persistent XSS | Authenticated access to dashboard widget configuration | 5.4 (Medium) |
Mitigations
Netgate, the company behind pfSense, has addressed these issues in the upcoming pfSense Plus 25.03 and CE 2.8.0 releases.
Through the System Patches Package, they have also published fixes for current versions pfSense Plus 24.11 and CE 2.7.2.
Available patches address multiple problems, including:
- Multiple XSS vulnerabilities in Dashboard widgets.
- OpenVPN management interface command injection.
- XSS in AutoConfigBackup backup list.
- Potential disclosure of AutoConfigBackup Device Key.
- Stored XSS in various system components.
According to the Report, security researchers disclosed these vulnerabilities to Netgate between November and December 2024, with patches now available in the public pfSense 2.8.0 beta and GitHub master branch.
The Exploit Prediction Scoring System (EPSS) rates the likelihood of exploitation for CVE-2024-54779 at only 0.03%, placing it in the 7th percentile of vulnerabilities. Nevertheless, administrators are strongly encouraged to apply patches immediately.
Users should update to pfSense CE version 2.8.0 or later, or the corresponding version of pfSense Plus, to mitigate these risks.
For those unable to update immediately, installing the System Patches Package and applying recommended fixes offers temporary protection.
Equip your SOC team with deep threat analysis for faster response -> Get Extra Sandbox Licenses for Free
