Rapid7 Vulnerability & Exploit Database

pfSense: pfSense-SA-23_04.webgui: Authenticated Command Execution in the WebGUI

Free InsightVM Trial No Credit Card Necessary
2024 Attack Intel Report Latest research by Rapid7 Labs
Back to Search

pfSense: pfSense-SA-23_04.webgui: Authenticated Command Execution in the WebGUI

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
02/15/2023
Created
02/17/2023
Added
02/16/2023
Modified
02/17/2023

Description

A potential authenticated arbitrary command execution vulnerability was found in status.php, a component of the pfSense Plus and pfSense CE software GUI. If there is a file named '/tmp/rules.packages.|<command>|.txt', then when an authenticated GUI user loads status.php, the GUI executes '<command>'. This problem is present on pfSense Plus version 22.05.1, pfSense CE version 2.6.0, and earlier versions of both. In combination with another bug that lets users write arbitrary files, a user with sufficient privileges to access status.php could run a command directly or trick another administrator with privileges into running a command. The commands which work here are of limited use as other characters which might make it more useful also make it fail to trigger. Furthermore, status.php is not linked in the GUI and is typically only run under direction of TAC, so opportunity for exploitation is fairly low.

Solution(s)

  • pfsense-upgrade-latest

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;