OPNsense Remote Code Execution Vulnerability via DHCP Configuration

A remote code execution vulnerability has been identified in OPNsense versions prior to 26.1.8. The issue arises from unsanitized user input being passed to the DHCP configuration of the affected interface. This input is processed by a shell script, allowing for execution of arbitrary code as root on the underlying operating system. The vulnerability is present in the web UI, where users with 'page-interfaces' privileges can configure interfaces to use DHCP on IPv4. By setting a hostname that includes malicious payloads, the crafted input is executed when the DHCP client script is processed.

Impact

Exploitation of this vulnerability allows for remote code execution as root on the OPNsense firewall.

Reproduction

To reproduce this vulnerability, log into the OPNsense web interface with a user account that has 'page-interfaces' privileges. Navigate to the interface settings and enable DHCP for IPv4. In the hostname field, enter a value that includes a command injection payload, such as a command to open a reverse shell. Save the changes and apply them, which will trigger the DHCP client to execute the injected command as root.

Remediation

Users should upgrade to OPNsense version 26.1.8 or later, where this vulnerability has been fixed.