A vulnerability, which was classified as critical, has been found in pfSense up to 2.4.2 (Firewall Software). This issue affects some unknown functionality of the file /usr/local/www/csrf/csrf-magic.php of the component WebGUI. The manipulation with an unknown input leads to a clickjacking vulnerability. Using CWE to declare the problem leads to CWE-451. The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

/usr/local/www/csrf/csrf-magic.php in the WebGUI in pfSense before 2.4.2-RELEASE allows Clickjacking on the CSRF error page because the error detection occurs before an X-Frame-Options header is set.

The weakness was presented 01/03/2018 (Website). It is possible to read the advisory at doc.pfsense.org. The identification of this vulnerability is CVE-2018-5191 since 01/03/2018. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1566.003 according to MITRE ATT&CK.

By approaching the search of inurl:usr/local/www/csrf/csrf-magic.php it is possible to find vulnerable targets with Google Hacking.

Upgrading to version 2.4.2-RELEASE eliminates this vulnerability.

Productinfo

Type

• Firewall Software

Name

• pfSense

Version

• 2.4.0
• 2.4.1
• 2.4.2

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion