CVE-2017-1000479 : pfSense versions 2.4.1 and lower are vulnerable to clickjacking attacks in the CSRF error page resulting in privileged e

pfSense versions 2.4.1 and lower are vulnerable to clickjacking attacks in the CSRF error page resulting in privileged execution of arbitrary code, because the error detection occurs before an X-Frame-Options header is set. This is fixed in 2.4.2-RELEASE. OPNsense, a 2015 fork of pfSense, was not vulnerable since version 16.1.16 released on June 06, 2016. The unprotected web form was removed from the code during an internal security audit under "possibly insecure" suspicions.

Published 2018-01-03 18:29:00

Updated 2019-05-30 14:57:55

Source MITRE

View at NVD, CVE.org

Vulnerability category: Cross-site request forgery (CSRF)

Exploit prediction scoring system (EPSS) score for CVE-2017-1000479

Probability of exploitation activity in the next 30 days: 1.15%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 83 % EPSS Score History EPSS FAQ

Metasploit modules for CVE-2017-1000479

Clickjacking Vulnerability In CSRF Error Page pfSense

Disclosure Date: 2017-11-21

First seen: 2020-04-26

exploit/unix/http/pfsense_clickjacking

This module exploits a Clickjacking vulnerability in pfSense <= 2.4.1. pfSense is a free and open source firewall and router. It was found that the pfSense WebGUI is vulnerable to Clickjacking. By tricking an authenticated admin into interacting with a speci

More information

CVSS scores for CVE-2017-1000479

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P	8.6	6.4	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
8.8	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	2.8	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2017-1000479

CWE-352 Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2017-1000479

https://github.com/pfsense/pfsense/commit/386d89b07

Prevent Clickjacking in CSRF error page · pfsense/pfsense@386d89b · GitHub
Patch;Third Party Advisory
https://github.com/opnsense/core/commit/d218b225

csrf: tighten csrf code paths a little · opnsense/core@d218b22 · GitHub
Patch;Third Party Advisory
https://www.netgate.com/blog/pfsense-2-4-2-release-p1-and-2-3-5-release-p1-now-available.html

pfSense 2.4.2-RELEASE-p1 and 2.3.5-RELEASE-p1 now available
Third Party Advisory
https://www.securify.nl/en/advisory/SFY20171101/clickjacking-vulnerability-in-csrf-error-page-pfsense.html

Clickjacking vulnerability in CSRF error page pfSense - Security Advisories and Insights - Securify B.V.
Exploit;Third Party Advisory
https://doc.pfsense.org/index.php/2.4.2_New_Features_and_Changes

Releases — 2.4.2 New Features and Changes | pfSense Documentation
Issue Tracking;Vendor Advisory
http://www.openwall.com/lists/oss-security/2017/11/22/7

oss-security - Clickjacking vulnerability in CSRF error page pfSense
Exploit;Mailing List;Third Party Advisory

Products affected by CVE-2017-1000479

Netgate » Pfsense
Versions up to, including, (<=) 2.4.1
cpe:2.3:a:netgate:pfsense:*:*:*:*:*:*:*:*
Matching versions
Opnsense Project » Opnsense
Versions before (<) 16.1.16
cpe:2.3:a:opnsense_project:opnsense:*:*:*:*:*:*:*:*
Matching versions