Netgate pfSense CE and Plus Automatic Configuration Backup Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability has been identified in the Automatic Configuration Backup (ACB) service of Netgate pfSense Community Edition (CE) versions prior to 2.8.0 and corresponding Plus builds. This vulnerability allows remote attackers to execute arbitrary JavaScript, delete backups, or leak sensitive information by exploiting an unsanitized 'reason' field and a derivable device key generated from the public SSH key. The issue arises when the ACB service is configured and the SSH server is open and accessible, enabling the extraction of the public key needed to compute the device key for API interaction.

Impact

Exploitation of this vulnerability allows for the execution of JavaScript in the context of the user's browser, potentially leading to session hijacking by stealing cookies or other session information.

Reproduction

To reproduce this vulnerability, first ensure that the ACB service is enabled and the SSH server is open and accessible. Once these conditions are met, the public SSH key can be retrieved, and the corresponding device key for the ACB service can be computed. After obtaining the device key, a JavaScript payload can be injected into the 'reason' field when saving a backup. When the backup list is accessed, the injected script will be executed.

Remediation

Users can upgrade to pfSense Plus version 25.03 or later, or pfSense CE version 2.8.0 when available. Instructions for upgrading can be found in the pfSense Upgrade Guide. Users on pfSense Plus version 24.11 and pfSense CE version 2.7.2 can apply the fix from the recommended patches list in the System Patches package.