CVE-2023-38997 – A directory traversal vulnerability in OPNsense... (How to Fix)

Q: How do I fix CVE-2023-38997?

1. Update OPNsense via System → Firmware → Updates. 2. Click 'Check for updates'. 3. Install available updates. 4. Reboot if prompted.

Q: What is the severity of CVE-2023-38997?

CVE-2023-38997 has a CVSS score of 7.2 (HIGH). A directory traversal vulnerability in OPNsense's Captive Portal templates allows attackers to upload crafted ZIP archives that can execute arbitrary system commands as root. This affects OPNsense Community Edition before version 23.7 and Business Edition before version 23.4.2. Attackers can achieve remote code execution with root privileges on vulnerable systems.

📋 TL;DR

A directory traversal vulnerability in OPNsense's Captive Portal templates allows attackers to upload crafted ZIP archives that can execute arbitrary system commands as root. This affects OPNsense Community Edition before version 23.7 and Business Edition before version 23.4.2. Attackers can achieve remote code execution with root privileges on vulnerable systems.

💻 Affected Systems

Products:

OPNsense Community Edition
OPNsense Business Edition

Versions: Community Edition < 23.7, Business Edition < 23.4.2

Operating Systems: OPNsense (FreeBSD-based)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Captive Portal feature to be enabled and accessible to attackers.

📦 What is this software?

Opnsense by Opnsense

View all CVEs affecting Opnsense →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with root-level access, allowing attackers to install persistent backdoors, exfiltrate sensitive data, pivot to internal networks, or disrupt network operations.

🟠

Likely Case

Remote code execution leading to network compromise, credential theft, and potential lateral movement within the network infrastructure.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent exploitation attempts from reaching vulnerable systems.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to upload functionality in Captive Portal templates. Technical details and proof-of-concept are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Community Edition 23.7+, Business Edition 23.4.2+

Vendor Advisory: https://github.com/opnsense/core/commit/448762d440b51574f1906c0ec2f5ea6dc4f16eb2

Restart Required: No

Instructions:

1. Update OPNsense via System → Firmware → Updates. 2. Click 'Check for updates'. 3. Install available updates. 4. Reboot if prompted.

🔧 Temporary Workarounds

Disable Captive Portal

all

Temporarily disable the Captive Portal feature if not required.

Restrict Access

all

Implement network access controls to limit who can access the Captive Portal interface.

🧯 If You Can't Patch

Implement strict network segmentation to isolate OPNsense management interfaces from untrusted networks.
Deploy web application firewall (WAF) rules to detect and block directory traversal attempts in file uploads.

🔍 How to Verify

Check if Vulnerable:

Check OPNsense version via web interface (System → Firmware → Status) or CLI: 'opnsense-version'.

Check Version:

opnsense-version

Verify Fix Applied:

Confirm version is Community Edition 23.7+ or Business Edition 23.4.2+. Verify patch commit 448762d is applied.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to Captive Portal templates directory
Suspicious command execution patterns in system logs
Failed directory traversal attempts in web server logs

Network Indicators:

Unexpected outbound connections from OPNsense appliance
Anomalous traffic patterns to/from Captive Portal interface

SIEM Query:

source="opnsense" AND (event="file_upload" OR event="command_execution") AND (path="*../*" OR user="root")

📊 Metadata

CVE ID: CVE-2023-38997

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: August 9, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/opnsense/core/commit/448762d440b51574f1906c0ec2f5ea6dc4f16eb2 Patch
https://logicaltrust.net/blog/2023/08/opnsense.html Exploit,Third Party Advisory
https://github.com/opnsense/core/commit/448762d440b51574f1906c0ec2f5ea6dc4f16eb2 Patch
https://logicaltrust.net/blog/2023/08/opnsense.html Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38997, you might also want to check these: