CVE-2021-41282

diag_routes.php in pfSense 2.5.2 allows sed data injection. Authenticated users are intended to be able to view data about the routes set in the firewall. The data is retrieved by executing the netstat utility, and then its output is parsed via the sed utility. Although the common protection mechanisms against command injection (i.e., the usage of the escapeshellarg function for the arguments) are used, it is still possible to inject sed-specific code and write an arbitrary file in an arbitrary location.

Published: Mar 2, 2022
Updated: Apr 14, 2023
CVE: CVE-2021-41282
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 9
AV:N/AC:L/Au:S/C:C/I:C/A:C

CWEs:

CWE-74

Affected Software
References

Software	From	Fixed in
pfsense / pfsense	2.5.2	2.5.2.x

http://packetstormsecurity.com/files/166208/pfSense-2.5.2-Shell-Upload.html
https://docs.netgate.com/pfsense/en/latest/releases/22-01_2-6-0.html
https://www.shielder.it/advisories/
https://www.shielder.it/advisories/pfsense-remote-command-execution/

Vulnerability Database

289,599

CVE-2021-41282