OPNsense Authentication Lockout Bypass Vulnerability

A logic flaw in OPNsense's lockout handler allows unauthenticated attackers to manipulate the authentication failure counter for their IP address. This vulnerability is present in OPNsense versions through 26.1.6. The issue arises because the lockout handler, which tracks failed login attempts and bans offending IPs, incorrectly processes usernames that include success keywords like 'Accepted' or 'Successful login'. By inserting such usernames between regular brute-force attempts, an attacker can prevent the failure counter from reaching the lockout threshold, thereby bypassing a key security measure against credential stuffing attacks. This flaw affects both the WebGUI and SSH password logins.

Impact

Exploitation of this vulnerability allows attackers to disrupt the authentication lockout mechanism, effectively neutralizing protections against brute-force attacks. This manipulation can lead to successful unauthorized access via the WebGUI or SSH, depending on the attacker's chosen method.

Reproduction

To reproduce this vulnerability, initiate a brute-force attack by sending failed login attempts using a username that does not trigger a success response. After a few normal attempts, insert a crafted username that includes 'Accepted' or 'Successful login' to reset the authentication failure counter for the IP address. This can be automated with a Python script available as a gist on GitHub.

Remediation

Users are advised to update to OPNsense version 26.1.7, where this vulnerability has been fixed.