pfSense pfBlockerNG Host header command injection

Added: 12/23/2022

Background

pfSense is an open-source network firewall based on the FreeBSD operating system. pfSense is the software which powers Netgate Security Gateway Appliances.

pfBlockerNG is a pfSense package which allows creation of firewall rules on the appliance.

Problem

A vulnerability in pfSense pfBlockerNG allows remote, unauthenticated attackers to inject arbitrary commands in the Host header of an HTTP request.

Resolution

Upgrade to pfSense pfBlockerNG 2.1.4_27 or higher.

References

https://www.ihteam.net/advisory/pfblockerng-unauth-rce-vulnerability/

Back to exploit index