Rapid7 Vulnerability & Exploit Database

pfSense: pfSense-SA-17_06.webgui: Brute force login protection weakness in the WebGUI

Back to Search

pfSense: pfSense-SA-17_06.webgui: Brute force login protection weakness in the WebGUI

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
07/19/2016
Created
07/25/2018
Added
08/25/2017
Modified
08/25/2017

Description

Malicious clients attempting to repeatedly authenticate to the pfSense WebGUI are added to a lockout table which prevents new connections. Existing connections are not dropped, however, so if a browser or malicious client holds open an existing connection and continues to send requests, those attempts are not stopped. Due to the connections not being dropped, a malicious client can send numerous brute force login attempts beyond the expected cut-off limit. If firewall accounts have weak passwords, an attacker could potentially gain access. This problem does not affect ssh logins in the same way because the ssh daemon itself will terminate a connection after repeated failures, and due to the lockout table, a malicious client will not be able to reconnect to send additional attempts once that happens.

Solution(s)

  • pfsense-upgrade-latest

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;