Vulnerability Name:

CVE-2016-10709 (CCN-112308)

Assigned:2016-04-15
Published:2016-04-15
Updated:2018-02-09
Summary:pfSense before 2.3 allows remote authenticated users to execute arbitrary OS commands via a '|' character in the status_rrd_graph_img.php graph parameter, related to _rrd_graph_img.php.
CVSS v3 Severity:8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
8.2 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
8.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
8.2 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:9.0 High (CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-78
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2016-10709

Source: CCN
Type: Full-Disclosure Mailing List, Fri, 15 Apr 2016 14:54:55 +1200
PfSense Community Edition Multiple Vulnerabilities

Source: XF
Type: UNKNOWN
pfsense-statusrrdgraphimg-cmd-exec(112308)

Source: CCN
Type: Packet Storm Security [04-15-2016]
PfSense Community Edition 2.2.6 CSRF / XSS / Command Injection PfSense Community Edition 2.2.6 CSRF / XSS / Command Injection

Source: CCN
Type: Packet Storm Security [12-28-2017]
pfSense 2.1.3-RELEASE (amd64) Remote Command Execution

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [04-18-2016]

Source: EXPLOIT-DB
Type: Exploit, Third Party Advisory, VDB Entry
39709

Source: CCN
Type: pfSense Security Advisory pfSense-SA-16_01.webgui
Arbitrary Code Execution

Source: MISC
Type: Vendor Advisory
https://www.pfsense.org/security/advisories/pfSense-SA-16_01.webgui.asc

Source: MISC
Type: Exploit, Third Party Advisory
https://www.rapid7.com/db/modules/exploit/unix/http/pfsense_graph_injection_exec

Source: MISC
Type: Exploit, Third Party Advisory
https://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf

Vulnerable Configuration:Configuration 1:
  • cpe:/a:pfsense:pfsense:*:*:*:*:community:*:*:* (Version <= 2.2.6)

    • Configuration CCN 1:
  • cpe:/a:pfsense:pfsense:2.2.6:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    pfsense pfsense *
    pfsense pfsense 2.2.6