CVE-2018-16055

moderate-risk

Published 2018-09-26

An authenticated command injection vulnerability exists in status_interfaces.php via dhcp_relinquish_lease() in pfSense before 2.4.4 due to its passing user input from the $_POST parameters "ifdescr" and "ipv" to a shell without escaping the contents of the variables. This allows an authenticated WebGUI user with privileges for the affected page to execute commands in the context of the root user when submitting a request to relinquish a DHCP lease for an interface which is configured to obtain its address via DHCP.

Do I need to act?

12.9% chance of exploitation in next 30 days

EPSS score — higher than 87% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (1)

Pfsense

Affected Vendors

Netgate

References (4)

Third Party Advisory https://doddsecurity.com/190/command-injection-on-pfsense-firewalls/

Mitigation https://www.pfsense.org/security/advisories/pfSense-SA-18_08.webgui.asc

Third Party Advisory https://doddsecurity.com/190/command-injection-on-pfsense-firewalls/

Mitigation https://www.pfsense.org/security/advisories/pfSense-SA-18_08.webgui.asc

/ 100

moderate-risk

Severity 30/34 · Critical

Exploitability 12/34 · Low

Exposure 5/34 · Minimal