IHTeam’s security experts have discovered a RCE bug in a plugin for the pfSense firewall system.

Although the problematic pfBlockerNG plugin is not loaded by default, the issue was nonetheless fixed by a June software upgrade.

According to IHTeam, the underlying flaw exposed vulnerable installations to a root risk of unauthenticated remote code execution (RCE). The CVE number for the pfSense pfBlockerNG vulnerability is CVE-2022-31814.

Root cause analysis

pfSense is a firewall/router software distribution based on FreeBSD. The open source-based network firewall technology can be set up as a virtual appliance or on bare metal.

Within pfSense, there is a plugin component called pfBlockerNG that makes it easier to allow-list or deny-list entire IP ranges. According to researchers, it is frequently used to prevent entire nations from communicating with networks running pfSense. They highlight a number of elements that draw specific attention to the issue.

The vulnerability is a remote command execution exploitable from an unauthenticated perspective and, on top of that, the web server is running with root capabilities.

It’s important to note that the vulnerability only affects a pfSense plugin that is not installed by default.

Without actively crawling each of the vulnerable systems, it is difficult to estimate the number of affected systems, according to IHTeam.

Shodan estimates that there are about 27,000 vulnerable pfSense systems online. After many systems won’t be running the impacted pfBlockerNG plugin and even vulnerable installations have probably been fixed. Since the software was updated, this shouldn’t be interpreted as a measure of the number of vulnerable systems.

The only versions that were impacted are versions 2.1.4 26 and lower, according to the pfBlockerNG creator. This has been corrected, and pkg manager allows for an upgrade. They advised using unaffected pfBlockerNG-devel is advised.

Practical impact

The pfSense firewall’s distributor, Netgate, stated in answer to a similar question: “The issue they [the researchers] uncovered was in the pfBlockerNG package but had previously been addressed in the pfBlockerNG-devel package, which is the version the package maintainer recommends everyone use.”

The bug needs access to the web server on the firewall (which should never be open on WAN and is typically restricted internally when configured according to best practises), according to Netgate. While it “had a high theoretical score, the total practical impact was assessed extremely minimal.”

Developers are continuing shipping and enabling users to install between the 2.x branch and the 3.x branch, according to IHTeam.

As per researchers removing the 2.x branch from the list of accessible plugins, the misunderstanding could be readily cleared up.

pfBlockerNG’s vulnerability was discovered by IHTeam while doing an impartial security evaluation of what turned out to be a vulnerable product version. IHTeam posted a technical description of the problem on its blog on Monday (September 5).

Dev lessons

According to an IHTeam researcher who requested anonymity, the bug’s characteristics could serve as a teaching tool for other software developers.

The researcher stated: “Developers should exercise extra caution when managing user input to avoid these types of vulnerabilities (not only via direct GET and POST requests. But also via input that might be passed in request headers such as Cookies, Host or User-Agent.

“Before being sent to the programme, every piece of user input needs to be thoroughly examined and cleaned. Not just for command execution, but also for other attack types like cross-site scripting (XSS) or SQL injection, they continued.