CVE-2022-24299 Exploit: Remote Command Injection Vulnerability in pfSense CE and pfSense Plus

In this post, we will discuss an improper input validation vulnerability that has been assigned CVE-2022-24299. This vulnerability affects pfSense CE software versions prior to 2.6. and pfSense Plus software versions prior to 22.01. A remote attacker with the privilege to change OpenVPN client or server settings can exploit this vulnerability to execute an arbitrary command.

Original References

1. Netgate: https://www.netgate.com/security/CVE-2022-24299
2. MITRE CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24299
3. NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2022-24299

Exploit Details

The vulnerability lies in the improper input validation of the OpenVPN client and server settings. If a remote attacker with the required privileges can manage to inject a malicious command in these settings, they can potentially execute arbitrary commands on the target system.

This execution usually occurs when the OpenVPN settings are being restarted or started. The attacker can exploit this by crafting a malicious setting in a specific field like "Advanced Configuration" and "Custom options" of the OpenVPN configuration. This would lead to the execution of the crafted command either when the targeted pfSense system restarts or when the OpenVPN service is restarted.

Here's a sample code snippet illustrating how the command would be injected into the OpenVPN settings:

# Sample malicious command
malicious_command = "; <arbitrary command>|"

# Inject the malicious command into the target field
openvpn_settings["advanced_configuration"] = malicious_command

Mitigation

To mitigate this vulnerability, users need to update the affected pfSense software to the latest version:

For pfSense Plus users, upgrade to version 22.01 or later.

The software upgrade can be performed by following the steps mentioned in the pfSense upgrade guides. These guides can be found on Netgate's website here:

1. pfSense CE Upgrade Guide: https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide-ce.html
2. pfSense Plus Upgrade Guide: https://docs.netgate.com/pfsense/en/latest/install/upgrade-guide-plus.html

Conclusion

CVE-2022-24299 is an improper input validation vulnerability that affects pfSense CE versions prior to 2.6. and pfSense Plus versions prior to 22.01. By exploiting this vulnerability, a remote attacker with the necessary privileges can execute arbitrary commands on the target system. To safeguard against this vulnerability, it's crucial to update the affected pfSense software to the latest version.

Timeline

Published on: 03/31/2022 08:15:00 UTC
Last modified on: 04/07/2022 20:01:00 UTC