CVE-2023-42326: 
pfSense Plus vulnerability analysis and mitigation

A critical command injection vulnerability (CVE-2023-42326) was discovered in Netgate pfSense v.2.7.0 that allows remote attackers to execute arbitrary code via crafted requests to the interfacesgifedit.php and interfacesgreedit.php components. The vulnerability affects pfSense CE 2.7.0 and below, as well as pfSense Plus 23.05.1 and below. The issue was discovered in July 2023 and patched in pfSense CE 2.7.1 and pfSense Plus 23.09 (Sonar Blog, Netgate Advisory).

The vulnerability stems from insufficient validation and escaping of user input in the interfacesgifedit.php and interfacesgreedit.php components. When creating or editing a GIF interface, the submitted POST 'gifif' or 'greif' value is not properly validated before being used in shell commands. The pfSense process runs as root to enable network setting changes, allowing attackers to execute arbitrary system commands with root privileges. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD, Sonar Blog).

The vulnerability allows authenticated attackers to execute arbitrary commands with root privileges on affected pfSense appliances. With these capabilities, attackers can manipulate the firewall, monitor local network traffic, or launch attacks against services within the protected network. The impact is particularly severe as security inside local networks often relies heavily on firewall protection (Sonar Blog, Hacker News).

The vulnerability has been patched in pfSense CE 2.7.1 and pfSense Plus 23.09. For users unable to upgrade immediately, Netgate recommends limiting access to the affected pages to trusted administrators only and avoiding logging into the firewall with browsers used for non-administrative web browsing. The patch implements proper input validation and escaping using the escapeshellarg() function for all shell command arguments (Netgate Advisory, Sonar Blog).