CVE CyberSecurity Database News

CVE-2023-38998 - Open Redirect in OPNsense <23.7 — What It Means and How Attackers Can Exploit It

Poster -

Security vulnerabilities can sometimes seem complicated, but some are dangerously simple. CVE-2023-38998 is a perfect example. Found in the OPNsense firewall before version 23.7, it lets bad actors use a carefully crafted link to redirect users to any site of their choosing. Here’s an easy-to-follow breakdown of this vulnerability, how it works, and what you can do about it.

What Is OPNsense?

OPNsense is a popular open-source firewall and routing platform, used by many businesses and individuals to protect their networks. Its web-based interface makes management easy — but with that convenience comes the risk of web-based security issues.

What is an Open Redirect?

An "open redirect" lets an attacker send a user through the legitimate site, but then bounce them to another (potentially malicious) site by tinkering with the URL. The target may not realize they're leaving the protected environment, making it easier for attackers to steal credentials or drop malware.

How Does The Exploit Work?

The login page had a URL parameter (like ?redirect=) that should only allow redirects to internal pages. But in vulnerable versions, it accepted any destination, including domains not controlled by you.

Example Vulnerable URL

https://evil.com" rel="nofollow">https://opnsense.example.com/login.php?redirect=https://evil.com

If you click this link and then log in, you'll be sent straight to https://evil.com after logging in — even though you expected to land on your firewall's dashboard.

Let's see a simplified example in PHP

$redirect = $_GET['redirect'];
if (!empty($redirect)) {
    header("Location: $redirect");
    exit;
}

This code does not check if $redirect is a safe, internal location. An attacker can set it to anything, and your browser will obey.

What's the Real-life Impact?

- Phishing: Attackers can send users a legit-looking link to the OPNsense login page with redirect set to their phishing site. Even security-aware users might fall for it.

Let's say you get an email asking you to log into your firewall

> Dear user,  
> We detected some unusual activity. Please login to check your account:  
> https://opnsense.example.com/login.php?redirect=https://stealyourcreds.badguy.com  
>
> --IT Support

If you log in using this link, you’ll be whisked right to the attacker’s website — which might look like your company’s dashboard. You might enter your credentials _again_, or fall for some other trick.

Technical Details and References

- CVE entry: CVE-2023-38998 at NVD
- OPNsense Security Advisories: OPNsense News & Announcements
- Proof of Concept, via HackerOne report: Original Report *(if link becomes public)*

Mitigation:

If you can’t upgrade, block URLs with suspicious redirect parameters via a web application firewall (WAF) or rewrite rules.

A fixed version should _validate_ the redirect parameter

$redirect = $_GET['redirect'];
$allowed_domains = ['opnsense.example.com'];
$parsed_url = parse_url($redirect);

if ($parsed_url['host'] == 'opnsense.example.com' || $redirect[] == '/') {
    header("Location: $redirect");
    exit;
} else {
    // Redirect to a safe default
    header("Location: /dashboard.php");
    exit;
}

Final Thoughts

Open redirects are simple, but potentially devastating, especially for security devices like OPNsense. If you run anything earlier than 23.7, patch now, and remind users not to trust login links sent by email or chat. Attackers love simple tricks — don’t make it easy for them!


Want to know more?  
- CVE-2023-38998 at NVD
- OPNsense Official Website
- General info on Open Redirects (OWASP)

Staying up-to-date and vigilant is your best defense!

Timeline

Published on: 08/09/2023 19:15:00 UTC
Last modified on: 08/15/2023 15:08:00 UTC