Rapid7 Vulnerability & Exploit Database

pfSense: pfSense-SA-14_08.webgui: Arbitrary Code Execution

Back to Search

pfSense: pfSense-SA-14_08.webgui: Arbitrary Code Execution

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
06/06/2014
Created
07/25/2018
Added
08/25/2017
Modified
03/27/2020

Description

A command-injection vulnerability exists in status_services.php. This allows authenticated WebGUI users with privileges for status_services.php to execute commands in the context of the root user. A logged-in user could also be deceived into loading a specially-crafted URL, permitting a command supplied by a remote attacker to be executed. A user granted limited access to the pfSense web GUI including access to status_services.php via the "WebCfg - Firewall: Status: Services" permission, could leverage this vulnerability to gain increased privileges, read arbitrary files, execute commands, or perform other alterations. Because the parameter in question is passed by GET, it can bypass other protections and be triggered via a malicious iframe or other, similarly styled attack. This attack vector is viable only if the administrator is logged into the firewall while loading the malicious page in the same browser and the remote attacker can guess, or otherwise obtain the local IP address or hostname of the firewall.

Solution(s)

  • pfsense-upgrade-latest

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;