CVE-2019-25369
📋 TL;DR
CVE-2019-25369 is a stored cross-site scripting (XSS) vulnerability in OPNsense 19.1 that allows attackers to inject persistent malicious scripts via the system_advanced_sysctl.php endpoint. When authenticated users view the affected page, the injected scripts execute in their browser context, potentially leading to session hijacking or administrative actions. This affects all OPNsense 19.1 installations with default configurations.
💻 Affected Systems
- OPNsense
📦 What is this software?
Opnsense by Opnsense
⚠️ Risk & Real-World Impact
Worst Case
Attackers could hijack administrator sessions, gain full control of the firewall appliance, modify firewall rules, intercept network traffic, or pivot to internal networks.
Likely Case
Attackers with access to the admin interface could steal session cookies, perform actions as authenticated users, or deploy additional payloads to compromise the device.
If Mitigated
With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploit requires authentication to the OPNsense web interface. Public exploit code demonstrates simple script injection via POST requests to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 19.1.1 and later
Vendor Advisory: https://forum.opnsense.org/index.php?topic=11469.0
Restart Required: No
Instructions:
1. Log into OPNsense web interface. 2. Navigate to System > Firmware > Updates. 3. Click 'Check for updates'. 4. Apply all available updates. 5. Verify version is 19.1.1 or newer.
🔧 Temporary Workarounds
Input Validation via Web Proxy
allDeploy a web application firewall or reverse proxy to filter malicious script payloads targeting the system_advanced_sysctl.php endpoint.
Access Restriction
linuxRestrict access to the OPNsense admin interface to trusted IP addresses only using firewall rules.
Configure firewall rules in OPNsense: Interfaces > [Admin Interface] > Firewall rules to allow only specific source IPs
🧯 If You Can't Patch
- Implement strict input validation and output encoding for all user-controllable parameters in custom configurations.
- Monitor and audit all POST requests to system_advanced_sysctl.php for suspicious script patterns.
🔍 How to Verify
Check if Vulnerable:
Check OPNsense version via web interface dashboard or CLI: opnsense-version. If version is exactly 19.1, the system is vulnerable.Check Version:
opnsense-versionVerify Fix Applied:
Verify version is 19.1.1 or newer: opnsense-version | grep -q '19.1\.' && echo 'Patched' || echo 'Vulnerable'📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /system_advanced_sysctl.php containing script tags or JavaScript code
- Multiple failed authentication attempts followed by successful login and POST to vulnerable endpoint
Network Indicators:
- HTTP POST requests to OPNsense admin interface with script payloads in tunable parameter
- Unexpected outbound connections from OPNsense device after admin interface access
SIEM Query:
source="opnsense.log" AND (uri_path="/system_advanced_sysctl.php" AND (http_method="POST" AND (request_body LIKE "%<script>%" OR request_body LIKE "%javascript:%")))