CVE-2022-24299 – This vulnerability allows authenticated attacke... (How to Fix)

Q: How do I fix CVE-2022-24299?

1. Backup current configuration. 2. Update via System > Update in web interface. 3. Apply update and confirm successful installation. 4. Verify version shows 2.6.0+ (CE) or 22.01+ (Plus).

Q: What is the severity of CVE-2022-24299?

CVE-2022-24299 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated attackers with OpenVPN configuration privileges to execute arbitrary commands on pfSense firewalls due to improper input validation. It affects pfSense CE versions before 2.6.0 and pfSense Plus versions before 22.01. Attackers can gain full system control if they have access to the web interface with appropriate permissions.

📋 TL;DR

This vulnerability allows authenticated attackers with OpenVPN configuration privileges to execute arbitrary commands on pfSense firewalls due to improper input validation. It affects pfSense CE versions before 2.6.0 and pfSense Plus versions before 22.01. Attackers can gain full system control if they have access to the web interface with appropriate permissions.

💻 Affected Systems

Products:

pfSense CE
pfSense Plus

Versions: pfSense CE < 2.6.0, pfSense Plus < 22.01

Operating Systems: FreeBSD-based

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have privileges to modify OpenVPN client or server settings via web interface.

📦 What is this software?

Pfsense by Netgate

View all CVEs affecting Pfsense →

Pfsense Plus by Netgate

View all CVEs affecting Pfsense Plus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attacker to install persistent backdoors, pivot to internal networks, steal credentials, and disrupt network operations.

🟠

Likely Case

Privilege escalation leading to unauthorized access to firewall configuration, network traffic interception, and lateral movement to connected systems.

🟢

If Mitigated

Limited to authorized users who already have OpenVPN configuration access, with proper network segmentation preventing lateral movement.

🌐 Internet-Facing: HIGH if web interface is exposed to internet and attackers have or can obtain valid credentials.

🏢 Internal Only: HIGH for any internal attacker with OpenVPN configuration privileges or ability to compromise such accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to web interface with OpenVPN configuration privileges. Public exploit details available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: pfSense CE 2.6.0+, pfSense Plus 22.01+

Vendor Advisory: https://docs.netgate.com/downloads/pfSense-SA-22_03.webgui.asc

Restart Required: No

Instructions:

1. Backup current configuration. 2. Update via System > Update in web interface. 3. Apply update and confirm successful installation. 4. Verify version shows 2.6.0+ (CE) or 22.01+ (Plus).

🔧 Temporary Workarounds

Restrict OpenVPN Configuration Access

all

Limit which users have privileges to modify OpenVPN settings

Navigate to System > User Manager > Edit User > Privileges tab > Remove 'OpenVPN - Clients' and 'OpenVPN - Servers' privileges

Network Segmentation

all

Restrict access to pfSense web interface to trusted networks only

Configure firewall rules to limit web interface access to specific IP ranges

🧯 If You Can't Patch

Implement strict access controls limiting who can modify OpenVPN settings
Monitor for suspicious OpenVPN configuration changes and command execution attempts

🔍 How to Verify

Check if Vulnerable:

Check pfSense version via web interface Dashboard or CLI: pfSense version

Check Version:

pfSense version

Verify Fix Applied:

Confirm version is pfSense CE 2.6.0+ or pfSense Plus 22.01+

📡 Detection & Monitoring

Log Indicators:

Unexpected OpenVPN configuration changes
Suspicious command execution in system logs
Unauthorized user accessing OpenVPN settings

Network Indicators:

Unusual outbound connections from pfSense device
Traffic patterns inconsistent with normal OpenVPN usage

SIEM Query:

source="pfSense" AND (event_type="config_change" AND component="openvpn") OR (process_execution AND parent_process="webgui")

📊 Metadata

CVE ID: CVE-2022-24299

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: March 31, 2022

Last Updated: November 21, 2024

🔗 References

https://docs.netgate.com/downloads/pfSense-SA-22_03.webgui.asc Mitigation,Patch,Vendor Advisory
https://jvn.jp/en/jp/JVN87751554/index.html Patch,Third Party Advisory
https://docs.netgate.com/downloads/pfSense-SA-22_03.webgui.asc Mitigation,Patch,Vendor Advisory
https://jvn.jp/en/jp/JVN87751554/index.html Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24299, you might also want to check these: