OPNsense Cross-Site Request Forgery Vulnerability in MVC API Endpoints Allowing Unauthorized State Changes

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in OPNsense versions prior to 26.1.4. Multiple MVC API endpoints can be accessed via HTTP GET requests without proper CSRF protection, allowing authenticated users to unintentionally trigger privileged backend actions. This vulnerability can lead to unauthorized service reloads and configuration changes through the configd daemon, which manages system settings on the firewall.

Impact

Exploitation of this vulnerability allows authenticated users to perform unauthorized state changes on the OPNsense firewall. This includes reloading the DNS resolver, restarting the DHCP service, reconfiguring network interfaces, and updating the firewall bogon database. These actions are executed with elevated privileges, potentially disrupting network services or misconfiguring the firewall.

Reproduction

The vulnerability can be reproduced by sending an authenticated GET request to one of the affected API endpoints, such as '/api/unbound/service/dnsbl' or '/api/interfaces/overview/reload_interface/wan'. The session cookie must be included in the request to authenticate as a valid user.

Remediation

Users are advised to update to OPNsense version 26.1.4 or later, where this vulnerability has been fixed.