vulnerability
pfSense: pfSense-SA-22_01.webgui: File overwrite vulnerability in the WebGUI
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:L/Au:S/C:C/I:C/A:C) | Jan 12, 2022 | Oct 18, 2022 | Feb 18, 2025 |
Description
An arbitrary file overwrite vulnerability was found in services_ntpd_gps.php,
a component of the pfSense CE and pfSense Plus software WebGUI, on pfSense CE
version 2.5.2, pfSense Plus version 21.05.2, and earlier versions of both.
The gpsport parameter was not validated properly when set in
services_ntpd_gps.php or during NTP setup in services.inc. A relative path in
the parameter could have been leveraged to overwrite an existing file on the
firewall with the contents of the gpsinitcmd configuration parameter.
To exploit this, all of the following must be true:
* The attacker must have authenticated access to the GUI
* The attacker must have sufficient privileges to access
services_ntpd_gps.php
* The attacker must have sufficient privileges to alter the firewall
configuration
* "Check baud rate before sending init commands" on services_ntpd_gps.php must
be unchecked
An attacker meeting all of the necessary conditions to exploit the vulnerability
could overwrite an existing file on the firewall with arbitrary contents. This
method could be used for code execution, privilege escalation, information
disclosure, denial of service, or other negative outcomes.
Solution
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.