Login Sign Up

CVE-2023-39004

9.8 CRITICAL

📋 TL;DR

This vulnerability allows attackers to access sensitive configuration files in OPNsense firewalls due to insecure directory permissions. Attackers can read hashed root passwords and other sensitive data, potentially leading to privilege escalation. Affects OPNsense Community Edition before version 23.7 and Business Edition before version 23.4.2.

💻 Affected Systems

Products:
  • OPNsense Community Edition
  • OPNsense Business Edition
Versions: Community Edition < 23.7, Business Edition < 23.4.2
Operating Systems: OPNsense (FreeBSD-based)
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations with affected versions are vulnerable. The /conf/ directory contains sensitive configuration files.

📦 What is this software?

Opnsense by Opnsense

View all CVEs affecting Opnsense →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain root access to the firewall, allowing complete system compromise, network traffic interception, and lateral movement into protected networks.

🟠

Likely Case

Attackers extract hashed credentials and configuration data, enabling privilege escalation and persistent access to the firewall management interface.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the firewall device itself without network-wide compromise.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires some level of access to the system. Public technical details exist in the referenced blog posts.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Community Edition 23.7+, Business Edition 23.4.2+

Vendor Advisory: http://opnsense.com

Restart Required: No

Instructions:

1. Log into OPNsense web interface. 2. Navigate to System > Firmware > Updates. 3. Click 'Check for updates'. 4. Install available updates. 5. Reboot if prompted.

🔧 Temporary Workarounds

Restrict /conf/ directory permissions

linux

Manually change permissions on the /conf/ directory to prevent unauthorized access

chmod 700 /conf/
chown root:wheel /conf/

🧯 If You Can't Patch

  • Implement strict network access controls to limit who can reach the OPNsense management interface
  • Monitor for unauthorized access attempts to the /conf/ directory and review authentication logs regularly

🔍 How to Verify

Check if Vulnerable:

Check OPNsense version via web interface (System > Firmware > Status) or run 'opnsense-version' in shell. Also check /conf/ directory permissions with 'ls -la /conf/'

Check Version:

opnsense-version

Verify Fix Applied:

Verify version is patched (Community Edition >= 23.7, Business Edition >= 23.4.2) and confirm /conf/ directory permissions are restricted (should show drwx------)

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to /conf/ directory
  • Failed authentication attempts followed by configuration file access

Network Indicators:

  • Unusual traffic patterns to firewall management interface
  • Multiple failed login attempts

SIEM Query:

source="opnsense" AND (event="authentication failure" OR path="/conf/*")

📊 Metadata

CVE ID: CVE-2023-39004
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-732
Published: August 9, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39004, you might also want to check these:

CVE-2021-33509 9.9

This vulnerability allows remote authenticated managers in Plone to perform arbitrary disk I/O opera...

Same vulnerability type (CWE-732)
CVE-2024-5618 9.9

This vulnerability allows attackers to access functionality they shouldn't have permission to use in...

Same vulnerability type (CWE-732)
CVE-2023-40622 9.9

This vulnerability in SAP BusinessObjects Business Intelligence Platform allows authenticated attack...

Same vulnerability type (CWE-732)