Executive Summary

CVE-2019-25370 is a reflected cross-site scripting (XSS) vulnerability in OPNsense 19.1. It allows attackers to inject malicious scripts by submitting specially crafted input through multiple parameters in the web interface.

Attackers can send POST requests to the interfaces_vlan_edit.php page with script payloads in parameters such as tag, descr, or vlanif, which results in execution of arbitrary JavaScript code in the browsers of users who access the affected interface.

This vulnerability affects multiple POST parameters across various URLs in OPNsense, enabling injection and execution of malicious scripts in the context of the victim’s browser.

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to attackers executing arbitrary JavaScript code in the browsers of users interacting with the OPNsense web interface.'}, {'type': 'paragraph', 'content': 'Potential impacts include session hijacking, defacement of the web interface, theft of sensitive information, or performing actions on behalf of the user without their consent.'}, {'type': 'paragraph', 'content': "Because the attack is executed in the context of the victim's browser, it can compromise user trust and the security of the network management environment."}] [2]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'The CVE-2019-25370 vulnerability involves reflected and stored cross-site scripting (XSS) flaws in multiple POST parameters of the OPNsense web interface. Detection can focus on monitoring or testing these parameters for injection of malicious scripts.'}, {'type': 'list_item', 'content': 'Test POST requests to the following vulnerable endpoints with typical XSS payloads such as "><script>alert(1)</script> or <img src=x onerror=alert(1)>:'}, {'type': 'list_item', 'content': '/interfaces_vlan_edit.php with parameters tag, descr, vlanif'}, {'type': 'list_item', 'content': '/diag_backup.php with parameters GDrive_GDriveEmail, GDrive_GDriveFolderID, GDrive_GDriveBackupCount, Nextcloud_url, Nextcloud_user, Nextcloud_password, Nextcloud_password_encryption, Nextcloud_backupdir'}, {'type': 'list_item', 'content': '/system_advanced_sysctl.php?act=edit with parameters value and tunable'}, {'type': 'list_item', 'content': '/diag_ping.php and /diag_traceroute.php with parameter host'}, {'type': 'list_item', 'content': '/vpn_ipsec_settings.php with parameter passthrough_networks[]'}, {'type': 'list_item', 'content': '/ui/monit with parameter mailserver'}, {'type': 'list_item', 'content': '/ui/proxy with parameter ignoreLogACL'}, {'type': 'paragraph', 'content': 'You can use tools like curl or specialized web vulnerability scanners to send crafted POST requests to these endpoints and observe if the injected scripts are reflected in the response, indicating the presence of the vulnerability.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade OPNsense to version 19.1.1 or later, where this vulnerability has been addressed.

The update includes improved input validation and escaping mechanisms to prevent XSS attacks.

Additional security improvements in the update include patches to third-party libraries and other firewall component fixes.

Until the update can be applied, restrict access to the OPNsense web interface to trusted users and networks to reduce exposure.

Useful 0 Not Useful 0