 Tommy here from Lauren systems and some security researchers found an interesting attack vector It is now labeled CVE two oh two two three one eight one four And it was found in versions of pf blocker two point one point four four six and earlier The pf blocker three series is not affected by this and there's already a patch for it So as long as you're up to date if you have any running the old version of pf blocker, you're good Now the first thing I want to start with is the conditions that you have to have met in order for this attack to work First pf blocker old version installed second enable DNS block list so this has to be turned on then from there the DNS block page has to be Accessible from someone on the network. This is not an external attack Someone has to be on the network now you can have your pf sense web interface and as you should lock down So make guest networks and limited number of computers are able to get to it Lockdown to management, but this is something normally It's not locked down because you'd like to be able to know that this website was blocked by your network administrator And that's where someone and someone being these security researchers Decided to poke at it a little bit and try to determine where the problem might be with this and it turned out There's an input sanitization problem, and you're probably thinking there's no input on this page Oh, but there is and that's what they had really focused on was going through the code is they undertook an independent security Assessment of pf sense and pf blocker plug-in the two series and identify the unauthenticated remote execution as route and The reason it runs as route is because once any of these plugins are running that you have to run at a high level of privilege So if you exploit one of these plugins and can get the same privilege level as them You now will have root on that system now that Reason there's input even though you don't see an input box essentially is because they're able to pass extra data around there So query the alias for domain list and it looks through the characters that are going across there because It actually goes through and tries to figure out what web page is blocked So it doesn't normally say this web pages block and give me the 10 address It gives me the site that was blocked. Well with some input sanitization problems You have the potential to and this is what they discovered here was Basically put the server ht post element past the above code is a user controlled input because you just pass the parameter strictly to the bhp. So by doing that in Dealing with restricted characters. So there's at least some input sanitization But they found flaws around it basically they go through step by step and develop a payload and a simple proof of concept to inject This information in there and eventually and they have all their proof of context code and as I said, this will be linked down below There's a full working exploit code where you can test this out and it actually gets the ability to write files And then well do what you want to a pf sent system now They do have a disclosure timeline of notifying security at netgate and BB can one seven seven is actually the person That had to fix this because they're the maintainer of the package pf blockers not maintained by netgate the people who do maintain pf sense but specifically is for Maintaining the pf blocker plug-in. So nonetheless the hatches have been released and things are fixed now I thought the response to this was adequate the law was found Reported netgate being the maintainers of pf sense said well, it's the plug-in So BB cam was the one who fixed it not netgate directly But this is always a concern when you have plugins that you are adding complexity and adding more threat surface This is one of the reasons why whenever people ask me about siloing some project onto a pf sense Do so with that in mind that you are increasing the complexity and therefore the potential for more problems on there And hopefully if you side load something onto your pf sense You are properly vetting and maintaining it and testing its security to make sure it did not compromise The security of the base operating system, which essentially was unaffected But would have been affected with this particular plug-in because while the exploit could run wild in pf sense at the same permission level now Input sanitization is not a new problem It is still a growing and big problem And I like to see more of these security researchers poking at the edges because well There's always more to be found look how long it took us to find the input validation problem That was with log for j probably the largest cyber security widespread incident we've had in recent times and Hopefully we don't have another one, but there could be another log for j out there where someone didn't validate input So thank you to the security research team that was doing this also as a reminder Please lock down your admin interfaces I have videos on that topic down below for pf sense of how to set up the rules how to lock in Admin interfaces and that does include for things such as Entop PNG which I have done a video on and that has its own admin interface So always think about when you add anything on even if it is an official package that those extra interfaces if there's any potential Flaws or problems with them you want to make sure your guest network doesn't have access to it So nonetheless get patching. This is a great response great read I'll go ahead and read the hole right up there And if you want to play around with it or look around this is a good thing to do This is why we have so many people out there testing It's way better to have security researchers testing this than it is to have threat actors testing it and then Exploiting it ultimately leave your comments down below or head over to the forum for a more in-depth discussion And thank you for making it all the way to the end of this video If you've enjoyed the content, please give us a thumbs up if you would like to see more content from this channel Hit the subscribe button and the bell icon if you like to hire a short project head over to Lawrence systems calm and Click the hires button right at the top to help this channel out in other ways There's a join button here for YouTube and a patreon page where your support is greatly appreciated for deals discounts and offers check out our Affiliate links in the description of all of our videos including a link to our shirt store Where we have a wide variety of shirts that we sell and designs come out? Well randomly so check back frequently and finally our forums forums dot Lawrence systems comm is where you can have a More in-depth discussion about this video and other tech topics covered on this channel Thanks again for watching and look forward to hearing from you