Deciso OPNsense Directory Traversal Vulnerability in diag_backup.php Allowing Arbitrary File Creation

A directory traversal vulnerability has been identified in the Deciso OPNsense web interface, specifically in the diag_backup.php file. This vulnerability allows authenticated, network-adjacent attackers to create arbitrary files on the affected system. The issue arises from inadequate validation of user-supplied paths before they are used in file operations, particularly in the management of backup configuration files. As a result, attackers can exploit this flaw to generate files with root-level privileges.

Impact

Exploitation of this vulnerability could lead to unauthorized file creation in the system, potentially allowing for further exploitation or privilege escalation, given that the files are created with root privileges.

Remediation

Deciso has released a patch for this vulnerability. Users are advised to update to the latest version of OPNsense. Details about the update can be found in the OPNsense GitHub repository.