CVE-2023-27100: 
pfSense Plus vulnerability analysis and mitigation

Improper restriction of excessive authentication attempts in the SSHGuard component of Netgate pfSense Plus software v22.05.1 and pfSense CE software v2.6.0 allows attackers to bypass brute force protection mechanisms via crafted web requests. The vulnerability was discovered by Fabien MAISONNETTE and assigned CVE-2023-27100. The issue was fixed in pfSense Plus 23.01 and later versions, and pfSense CE 2.7.0 and later versions (Netgate Advisory).

The vulnerability exists in the authentication system's handling of proxy headers during GUI login attempts. When users log in via the GUI, the system prints extra information including authentication source and proxy headers (X-Forwarded-For and Client-IP) after the IP address in log messages. For GUI login failures, the log entries included these proxy header contents submitted by the client. This additional information confused the sshguard authentication log parser, causing it to fail to recognize the client IP address in authentication error messages (Netgate Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (NVD).

Due to this vulnerability, login protection managed by sshguard, such as preventing brute force attempts, may not be enforced depending on the content of the request headers in GUI authentication attempts. This allows an attacker to continue GUI login attempts indefinitely, potentially leading to unauthorized access through brute force attacks (Netgate Advisory).

Several mitigation strategies are recommended: 1) Upgrade to pfSense Plus software version 23.01 or later, or pfSense CE software version 2.7.0 or later, 2) Do not expose the WebGUI service to untrusted networks, 3) Use strong authentication credentials, 4) Do not use default accounts for management. Users on pfSense Plus version 22.05, 22.05.1, and pfSense CE version 2.6.0 can apply the fix from the recommended patches list in the System Patches package (Netgate Advisory).