#VU35861 Command Injection in pfsense


Published: 2019-06-03 | Updated: 2020-08-08

Vulnerability identifier: #VU35861

Vulnerability risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-12585

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
pfsense
Server applications / IDS/IPS systems, Firewalls and proxy servers

Vendor: Rubicon Communications

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Apcupsd 0.3.91_5, as used in pfSense through 2.4.4-RELEASE-p3 and other products, has an Arbitrary Command Execution issue in apcupsd_status.php.

Mitigation
Install update from vendor's website.

Vulnerable software versions

pfsense: 2.4.0 - 2.4.3_1

External links
http://ctrsec.io/index.php/2019/05/28/cve-2019-12584-12585-command-injection-vulnerability-on-pfsense-2-4-4-release-p3/
http://github.com/pfsense/FreeBSD-ports/commit/b492c0ea47aba8dde2f14183e71498ba207594e3
http://redmine.pfsense.org/issues/9556

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in pfsense