CVE-2023-27253
-
Hi,
I got info about the above mentioned CVE and took a shot and checked the provided links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27253
and
https://nvd.nist.gov/vuln/detail/CVE-2023-27253That CVE makes my head spin and if I'm not mistaken is complete crap, as:
- pfSense 2.7 that is mentioned isn't even released yet as stable release version and under active development. A CVE about a Dev Snapshot? What?
- The CVE mentions the reference links to the redmine ticket and Github Push. So far so good
- https://redmine.pfsense.org/issues/13935 acknowledges the problem for 23.01 and 2.7 and also mentions it's fixed. OK 2.7 isn't released but perhaps 23.01 is vulnerable still?
- I set up a quick 23.01 Plus Box and entered the unified diff from that redmine ticket as a custom patch into the system patches module. After checking I only get REVERT but not Apply as the patch is/seems already in the code.
So after that I'd say that 23.01 isn't vulnerable or wasn't released vulnerable to that "high security bug" as far as I could test. And 2.7 that is actually the base of this CVE isn't released.
So WTF is that nonsense? If I skipped sth. or overlooked: by all means, please tell me. But otherwise that smells a bit like fortune hunting a CVE (a practive quite a few infosec folks have noticed over the last months where CVEs for small or nonsensical things were opened to have the "fame" to claim a CVE under your name). Don't want to assume that in that case, but after checking the dots, it seems a bit like that.
Edit: Also a 8.8 severity for an attack in a "key to the castle" setup? The title reads "authenticated attacker". So if your attacker has access to the firewall. OK that may be some users that should only check graphs etc. but nevertheless, it's no remote random/any user exploit but the user needs access beforehand. So yeah... don't see the severity in that with such a high score.
Cheers
\jens -
@jegr I think says it all from the redmine
"This is not a security concern as anyone with access to restore a backup can already do anything and everything they want to the firewall."
-
@johnpoz said in CVE-2023-27253:
@jegr I think says it all from the redmine
"This is not a security concern as anyone with access to restore a backup can already do anything and everything they want to the firewall."
Yeah besides not getting HOW such CVEs got acknowledged and not refused is baffling me (mentioning a version number that doesn't currently exist?), but the thing also falls under "KttC" (key to the castle) so I don't get how that would refer to a 8.8 as severity either. That is some borked nonsense.
Also sent a mail to mitre.org with correct/reject action suggestion as per the reasons pointed out above. A CVE for a non-existing version is BS/FUD at best.
-
researcher: you have security issue
admin: how so
researcher: when I log in with root and the root password
admin: yes?
researcher: I can run any code I want.
admin: you don't say <rolleyes>