CVE-2019-25377
📋 TL;DR
This CVE describes a reflected cross-site scripting (XSS) vulnerability in OPNsense 19.1's system_advanced_sysctl.php endpoint. Attackers can inject malicious scripts via the value parameter in POST requests, potentially executing JavaScript in the context of authenticated user sessions. This affects OPNsense users running version 19.1, particularly those with internet-facing or internal administrative interfaces.
💻 Affected Systems
- OPNsense
📦 What is this software?
Opnsense by Opnsense
⚠️ Risk & Real-World Impact
Worst Case
An attacker could steal authenticated session cookies, perform actions as the authenticated user (like changing configurations), or redirect users to malicious sites, leading to full system compromise if administrative credentials are hijacked.
Likely Case
Attackers may steal session tokens to gain unauthorized access to the OPNsense web interface, potentially altering firewall rules or network settings.
If Mitigated
With proper input validation and output encoding, the risk is minimized to no impact, as malicious scripts would be neutralized before execution.
🎯 Exploit Status
Exploitation requires the attacker to trick an authenticated user into clicking a malicious link, making it a client-side attack with low technical complexity.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OPNsense 19.1.1 or later
Vendor Advisory: https://forum.opnsense.org/index.php?topic=11469.0
Restart Required: No
Instructions:
1. Log into the OPNsense web interface. 2. Navigate to System > Firmware > Updates. 3. Check for and apply available updates to upgrade to version 19.1.1 or higher. 4. Verify the update completes successfully.
🔧 Temporary Workarounds
Input Validation via Web Application Firewall (WAF)
allDeploy a WAF to filter and block malicious script payloads in POST requests to the vulnerable endpoint.
Configure WAF rules to sanitize or block requests containing script tags or JavaScript in the value parameter.
🧯 If You Can't Patch
- Restrict access to the OPNsense administrative interface to trusted IP addresses only using firewall rules.
- Educate users to avoid clicking on untrusted links and to log out of sessions when not in use.
🔍 How to Verify
Check if Vulnerable:
Check the OPNsense version via the web interface or command line; if it is 19.1, it is likely vulnerable.Check Version:
opnsense-versionVerify Fix Applied:
After updating, confirm the version is 19.1.1 or later and test the system_advanced_sysctl.php endpoint with a safe payload to ensure scripts are not executed.📡 Detection & Monitoring
Log Indicators:
- Look for POST requests to system_advanced_sysctl.php with unusual or script-like content in the value parameter in web server logs.
Network Indicators:
- Monitor for HTTP requests containing JavaScript or script tags in POST data to the vulnerable endpoint.
SIEM Query:
source="opnsense_logs" AND uri="/system_advanced_sysctl.php" AND method="POST" AND (value CONTAINS "<script>" OR value CONTAINS "javascript:")