CVE-2022-42247 A cross-site scripting vulnerability was found in pfSense v2.5.2.

A remote attacker can exploit this vulnerability by injecting arbitrary web scripts or HTML into a file name.

PfSense is an open source software that runs on most of the routers.

To exploit this vulnerability, a remote attacker must host a malicious file on the targeted system and then request that file via a specially crafted URL. In most cases, the user will request the file without suspecting anything wrong.

Once a user requests a malicious file, an attacker can exploit this vulnerability to inject arbitrary web script code or HTML and execute the code in the context of the user’s web session.

It is important to note that the majority of the routers do not allow changing the file name from the system’s configuration. Therefore, an attacker cannot force a user to request a malicious file. However, a user who is visiting the malicious website and happens to request a file name from there is still vulnerable to this issue.

In order to exploit this vulnerability, an attacker must host a specially crafted file on a web server and host a malicious website on a high-traffic website. Then, the user must visit the malicious website.

PfSense is a free and open source software that runs on most of the routers. It is strongly recommended that you update your version of PfSense to the latest available version. In addition, it is also recommended that you apply the patch provided by the vendor.
This vulnerability can be exploited by an attacker to

Vulnerability Scenario

- The attacker sends a POST request to the vulnerable page, with an exploit URL in the POST body.
- If the target is not patched or misconfigured, it will execute the code.
- If patched, then the vulnerability will be triggered by a user browsing to an exploit URL on any website.

Endpoint Assessment

The OSSEC software is a free and open source intrusion detection system (IDS) that continuously monitors the health of your systems. A key feature of the product is to detect, prevent, and respond to malicious traffic in real-time. OSSEC can also be configured to monitor network traffic as well as filesystem activity for suspicious events.

This vulnerability was discovered by the researcher who found that OSSEC was vulnerable to a remote exploit. In order to exploit this vulnerability, an attacker must host a specially crafted file on the web server and then request that file via URL. Once the user requests the file, the attacker can execute arbitrary code in their web session using parsing privileges.

Timeline

Published on: 10/03/2022 16:15:00 UTC
Last modified on: 10/05/2022 14:11:00 UTC

References