CVE-2023-29975 – This vulnerability in pfSense CE 2.6.0 allows a... (How to Fix)

Q: What is the severity of CVE-2023-29975?

CVE-2023-29975 has a CVSS score of 7.2 (HIGH). This vulnerability in pfSense CE 2.6.0 allows attackers to change any user's password without authentication or verification. This affects all pfSense CE 2.6.0 installations, potentially compromising administrative access to network security appliances.

📋 TL;DR

This vulnerability in pfSense CE 2.6.0 allows attackers to change any user's password without authentication or verification. This affects all pfSense CE 2.6.0 installations, potentially compromising administrative access to network security appliances.

💻 Affected Systems

Products:

pfSense CE

Versions: 2.6.0

Operating Systems: FreeBSD-based

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Community Edition (CE), not pfSense Plus. Requires web interface access.

📦 What is this software?

Pfsense by Pfsense

View all CVEs affecting Pfsense →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover where attackers reset administrator passwords, gain full control of the firewall, and pivot to internal networks.

🟠

Likely Case

Unauthorized password changes leading to privilege escalation, service disruption, or credential theft for targeted users.

🟢

If Mitigated

Limited impact with strong network segmentation, but still represents authentication bypass risk.

🌐 Internet-Facing: HIGH - pfSense firewalls are typically internet-facing, making them prime targets for this authentication bypass.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this, but external exposure is more concerning.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires access to the web interface but no authentication. Simple HTTP request manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.0 or later

Vendor Advisory: https://docs.netgate.com/pfsense/en/latest/releases/2-7-0.html

Restart Required: No

Instructions:

1. Backup configuration. 2. Update via System > Update > Update. 3. Apply update. 4. Verify version shows 2.7.0 or later.

🔧 Temporary Workarounds

Restrict Web Interface Access

all

Limit access to pfSense web interface to trusted IP addresses only.

Navigate to System > Advanced > Admin Access > Restrict Administration Panel to specific IPs

Enable Two-Factor Authentication

all

Require 2FA for all administrative accounts to add extra protection.

Navigate to System > User Manager > Edit User > Two Factor Authentication tab

🧯 If You Can't Patch

Implement strict network ACLs to limit web interface access to management networks only
Monitor authentication logs for unexpected password change attempts

🔍 How to Verify

Check if Vulnerable:

Check pfSense version via web interface Dashboard or CLI: cat /etc/version

Check Version:

cat /etc/version

Verify Fix Applied:

Confirm version is 2.7.0 or later via Dashboard or CLI

📡 Detection & Monitoring

Log Indicators:

Unexpected password change events in /var/log/system.log
Multiple failed login attempts followed by password reset

Network Indicators:

HTTP POST requests to password change endpoints from untrusted sources

SIEM Query:

source="pfSense" AND (event_type="password_change" OR uri_path="/index.php?*changepassword*")

📊 Metadata

CVE ID: CVE-2023-29975

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: November 9, 2023

Last Updated: November 21, 2024

🔗 References

https://www.esecforte.com/cve-2023-29975-unverified-password-changed/ Third Party Advisory
https://www.esecforte.com/cve-2023-29975-unverified-password-changed/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-29975, you might also want to check these: