CVE-2017-1000479

HIGH

pfSense <2.4.2-RELEASE - CSRF

Title source: llm

Description

pfSense versions 2.4.1 and lower are vulnerable to clickjacking attacks in the CSRF error page resulting in privileged execution of arbitrary code, because the error detection occurs before an X-Frame-Options header is set. This is fixed in 2.4.2-RELEASE. OPNsense, a 2015 fork of pfSense, was not vulnerable since version 16.1.16 released on June 06, 2016. The unprotected web form was removed from the code during an internal security audit under "possibly insecure" suspicions.

Exploits (1)

metasploit WORKING POC NORMAL

rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/http/pfsense_clickjacking.rb

View Code ZIP pw:eip

References (6)

[Exploit, Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2017/11/22/7

[Issue Tracking, Vendor Advisory] https://doc.pfsense.org/index.php/2.4.2_New_Features_and_Changes

[Patch, Third Party Advisory] https://github.com/opnsense/core/commit/d218b225

[Patch, Third Party Advisory] https://github.com/pfsense/pfsense/commit/386d89b07

[Third Party Advisory] https://www.netgate.com/blog/pfsense-2-4-2-release-p1-and-2-3-5-release-p1-now-available.html

[Exploit, Third Party Advisory] https://www.securify.nl/en/advisory/SFY20171101/clickjacking-vulnerability-in-csrf-error-page-pfsense.html

Scores

CVSS v3 8.8

EPSS 0.1899

EPSS Percentile 95.3%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-352

Status published

Products (2)

netgate/pfsense < 2.4.1

opnsense_project/opnsense < 16.1.16

Published Jan 03, 2018

Tracked Since Feb 18, 2026