Login Sign Up

CVE-2023-27152

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

CVE-2023-27152 is an authentication bypass vulnerability in DECISO OPNsense firewall software that allows attackers to perform unlimited brute-force login attempts. This affects OPNsense 23.1 installations, potentially allowing unauthorized access to firewall administration interfaces. Organizations using vulnerable OPNsense versions are at risk.

💻 Affected Systems

Products:
  • DECISO OPNsense
Versions: 23.1
Operating Systems: OPNsense (FreeBSD-based)
Default Config Vulnerable: ⚠️ Yes
Notes: All OPNsense 23.1 installations are vulnerable by default. No special configuration required.

📦 What is this software?

Opnsense by Opnsense

View all CVEs affecting Opnsense →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of firewall administration leading to network takeover, credential theft, and lateral movement into protected networks.

🟠

Likely Case

Unauthorized administrative access to firewall allowing rule modification, traffic interception, and network disruption.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, but still presents authentication bypass risk.

🌐 Internet-Facing: HIGH - Firewalls are typically internet-facing, making brute-force attacks easily accessible to remote attackers.
🏢 Internal Only: MEDIUM - Internal attackers could still exploit, but requires network access and may be detected more easily.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple brute-force tools can exploit this vulnerability. No authentication required to attempt login.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OPNsense 23.1.1 and later

Vendor Advisory: https://forum.opnsense.org/index.php?topic=33415.0

Restart Required: No

Instructions:

1. Log into OPNsense web interface. 2. Navigate to System > Firmware > Updates. 3. Click 'Check for updates'. 4. Install available updates. 5. Reboot if prompted.

🔧 Temporary Workarounds

Implement IP-based rate limiting

all

Configure firewall rules to limit authentication attempts per IP address

Configure via OPNsense GUI: Firewall > Rules > WAN, add rule limiting connections to port 443/tcp

Enable fail2ban or similar protection

linux

Install and configure fail2ban to block IPs after failed login attempts

pkg install py39-fail2ban
Configure /usr/local/etc/fail2ban/jail.local for OPNsense web interface

🧯 If You Can't Patch

  • Implement network-level protection with WAF or reverse proxy that provides rate limiting
  • Restrict administrative interface access to specific IP ranges only

🔍 How to Verify

Check if Vulnerable:

Check OPNsense version via web interface dashboard or CLI: opnsense-version

Check Version:

opnsense-version

Verify Fix Applied:

Verify version is 23.1.1 or later: opnsense-version | grep -q '23.1.1' && echo 'Patched'

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed login attempts from single IP in /var/log/system.log
  • Rapid succession of authentication failures

Network Indicators:

  • High volume of HTTPS requests to administrative port (default 443) from single source
  • Unusual login patterns outside business hours

SIEM Query:

source="OPNsense" "login failure" | stats count by src_ip | where count > 10

📊 Metadata

CVE ID: CVE-2023-27152
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-307
Published: October 23, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27152, you might also want to check these:

CVE-2023-1665 9.8

This vulnerability allows attackers to perform unlimited authentication attempts against Twake insta...

Same vulnerability type (CWE-307)
CVE-2020-28212 9.8

This vulnerability allows attackers to perform brute force attacks against the PLC Simulator in EcoS...

Same vulnerability type (CWE-307)
CVE-2024-9342 9.8

CVE-2024-9342 allows attackers to perform unlimited brute-force login attempts against Eclipse Glass...

Same vulnerability type (CWE-307)