The developers of pfSense, an open source firewall with VPN function, have closed three security gaps in current versions. If attackers successfully use it, they can access the system and execute their own commands.
Rated Most Dangerous Vulnerability (CVE-2022-24299″High“) affects the webgui module. Remote, authenticated attackers can use special requests to the vpn_openvpn_server.php and vpn_openvpn_client.php pages and trigger errors due to a lack of checks. Ultimately, this allows attackers to use their own orders should be allowed to be executed.
security update available
By successfully exploiting the second vulnerability (CVE-20222-26019 “medium“), a remote attacker can overwrite files. Third vulnerability (CVE-2021-20729 “medium“) can cause the victims’ web browsers to run attacker scripts. Session cookies, for example, can leak through it.
Developers indicate versions Pfsense Plus 2.5.x, 21.05.x, 21.09, 22.01 And Pfsense CE 2.6.0 To secure against the described attacks.
Freelance twitter maven. Infuriatingly humble coffee aficionado. Amateur gamer. Typical beer fan. Avid music scholar. Alcohol nerd.