Main Vulnerability Database Vulnerabilities #VU36085

Input validation error in pfsense - CVE-2018-20799

Published: March 1, 2019 / Updated: August 8, 2020

Vulnerability identifier: #VU36085

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2018-20799

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Rubicon Communications

Affected software:
pfsense

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

In pfSense 2.4.4_1, blocking of source IP addresses on the basis of failed HTTPS authentication is inconsistent with blocking of source IP addresses on the basis of failed SSH authentication (the behavior does not match the sshguard documentation), which might make it easier for attackers to bypass intended access restrictions.

How to mitigate CVE-2018-20799

Install update from vendor's website.

Sources

https://redmine.pfsense.org/issues/9223

Input validation error in pfsense - CVE-2018-20799

Detailed vulnerability description

How to mitigate CVE-2018-20799

Sources

Please verify you're human