#VU61367 Input validation error in pfsense and pfSense Plus - CVE-2022-24299

Cybersecurity Help s.r.o.

Published: 2022-03-15

Vulnerability identifier: #VU61367

Vulnerability risk: Medium

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-24299

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
pfsense
Server applications / IDS/IPS systems, Firewalls and proxy servers
pfSense Plus
Server applications / IDS/IPS systems, Firewalls and proxy servers

Vendor: Rubicon Communications

Description

The vulnerability allows a remote attacker to execute arbitrary commands.

The vulnerability exists due to insufficient validation of user-supplied input within the data_ciphers parameter in the vpn_openvpn_server.php and vpn_openvpn_client.php pages. A remote user can pass specially crafted input to the application and execute arbitrary commands on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

pfsense: 1.0.x - 2.5.2

pfSense Plus: before 22.01

External links
https://jvn.jp/en/jp/JVN87751554/index.html
https://docs.netgate.com/downloads/pfSense-SA-22_03.webgui.asc

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in pfSense