CVE-2020-21487
📋 TL;DR
This CVE describes a cross-site scripting (XSS) vulnerability in Netgate pfSense's ACME package that allows attackers to inject malicious scripts via the RootFolder field. When exploited, this could enable attackers to execute arbitrary code in the context of authenticated users. Affected systems include pfSense 2.4.4 installations with ACME package version 0.6.3.
💻 Affected Systems
- Netgate pfSense
- ACME package
📦 What is this software?
Pfsense by Netgate
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary code with administrative privileges, potentially gaining full control of the pfSense firewall, intercepting network traffic, or pivoting to internal networks.
Likely Case
Attackers could steal session cookies, perform actions as authenticated users, or redirect users to malicious sites, compromising the firewall's administrative interface.
If Mitigated
With proper input validation and output encoding, the vulnerability would be prevented, though the attack surface remains if other XSS vectors exist.
🎯 Exploit Status
Exploitation requires the attacker to have access to the ACME package interface, typically requiring authentication. The vulnerability is in a web interface component.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: ACME package version 0.6.4 or later, pfSense 2.4.5 or later
Vendor Advisory: https://redmine.pfsense.org/issues/9888
Restart Required: No
Instructions:
1. Update pfSense to version 2.4.5 or later via System > Update. 2. Update the ACME package to version 0.6.4 or later via System > Package Manager. 3. Verify the fix by checking the version in the ACME package settings.
🔧 Temporary Workarounds
Disable ACME package
FreeBSDTemporarily disable the ACME package if not required, removing the vulnerable component.
pkg delete acme
Restrict access to ACME interface
allLimit access to the ACME package web interface using firewall rules or access controls.
🧯 If You Can't Patch
- Implement strict input validation and output encoding for the RootFolder field in acme_certificates.php.
- Use web application firewalls (WAF) to filter malicious payloads targeting the ACME interface.
🔍 How to Verify
Check if Vulnerable:
Check ACME package version via pfSense web interface: System > Package Manager > Installed Packages, look for ACME version 0.6.3.Check Version:
pkg info | grep acmeVerify Fix Applied:
Verify ACME package version is 0.6.4 or later and pfSense version is 2.4.5 or later in System > Update.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to acme_certificates.php with script tags or JavaScript in parameters
- Unexpected administrative actions from non-standard IPs
Network Indicators:
- HTTP requests containing malicious payloads to the ACME interface
- Outbound connections from pfSense to suspicious domains
SIEM Query:
source="pfSense" AND (uri="*acme_certificates.php*" AND (param="*<script>*" OR param="*javascript:*"))