Unverified Password Changed
Vendor of the product(s): Rubicon Communications, LLC (Netgate).
Vendor Mail –ID: [email protected]
Version – exact ver of the product which is vulnerable: Pfsense firewall version 2.6.0 CE
Affected component(s) :Password change functionalities
Suggested description of the vulnerability for use in the CVE :Unverified Password change in Pfsense CE
Discoverer(s)/Credits – :Dipendar Sharma
All Pfsense CE, are vulnerable to unverified password change, due to lack of MFA. This allows to attacker change the password of user without MFA
Vulnerability covered under CWE-620 — Unverified Password Change.
When setting a new password for a user, the product does not require knowledge of the original password, or using another form of authentication. This could be used by an attacker to change passwords for another user, thus gaining the privileges associated with that user.
Login to the application as admin:pfsense via visiting http://10.118.20.200/system_usermanager.php?act=edit&userid=2
Click on system>user manager>users and attacker can change any user password without MFA or old password.
Pfsense CE all version
It’s vitally important to consider every action in an application not only from the user experience perspective, but the attacker’s as well. Critical access points in applications should always be protected by at least a second factor of authentication. In this case, the application should require the current password at a minimum. Ideally the application could require MFA authentication to the application, as well as an MFA token to modify those critical points.