OPNsense Authenticated Remote Code Execution Vulnerability in User Management

A remote code execution vulnerability has been identified in the OPNsense core, affecting versions through 26.1.7. This vulnerability allows authenticated users with user-management privileges to execute arbitrary system commands as root. The issue arises in the local user synchronization process, where input validation can be bypassed by crafting a payload that resembles a valid email address. This manipulation enables shell commands to be executed on the underlying operating system. The vulnerability has been patched in OPNsense version 26.1.8.

Impact

Exploitation of this vulnerability leads to complete system compromise, with injected commands executed as root, allowing an attacker to take full control of the firewall.

Reproduction

To reproduce this vulnerability, an authenticated user with user-management privileges can send a POST request to the OPNsense API endpoint for adding a user. The request must include a crafted email address that contains shell metacharacters, wrapped in quotes, as the username. This payload will bypass the email validation and, when the user is added, the injected commands will be executed on the system as root.

Remediation

Users can update to OPNsense version 26.1.8 to address this vulnerability.