pfSense: pfSense-SA-14_08.webgui: Arbitrary Code Execution
Description
A command-injection vulnerability exists in status_services.php. This allows authenticated WebGUI users with privileges for status_services.php to execute commands in the context of the root user. A logged-in user could also be deceived into loading a specially-crafted URL, permitting a command supplied by a remote attacker to be executed. A user granted limited access to the pfSense web GUI including access to status_services.php via the "WebCfg - Firewall: Status: Services" permission, could leverage this vulnerability to gain increased privileges, read arbitrary files, execute commands, or perform other alterations. Because the parameter in question is passed by GET, it can bypass other protections and be triggered via a malicious iframe or other, similarly styled attack. This attack vector is viable only if the administrator is logged into the firewall while loading the malicious page in the same browser and the remote attacker can guess, or otherwise obtain the local IP address or hostname of the firewall.
Solution(s)
- pfsense-upgrade-latest
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center