CVE-2022-40624
published 2022-12-20CVE-2022-40624: pfSense pfBlockerNG through 2.1.4_27 allows remote attackers to execute arbitrary OS commands as root via the HTTP Host header, a different vulnerability than…
PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
17.11%
96.7th percentile
pfSense pfBlockerNG through 2.1.4_27 allows remote attackers to execute arbitrary OS commands as root via the HTTP Host header, a different vulnerability than CVE-2022-31814.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pfsense | pfblockerng | < 2.1.4_27 | 2.1.4_27 |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit is delivered via a malformed HTTP Host header containing shell metacharacters (e.g., single-quote, asterisk, semicolon) targeting /pfblockerng/www/index.php. Monitor HTTP requests to this path where the Host header contains characters such as `'`, `*`, or `;`. ↗
- →A pre-check GET request to /pfblockerng/www/index.php expecting a GIF image response (Content-Type: image/gif, body containing 'GIF') can be used to fingerprint vulnerable pfBlockerNG instances before exploitation. ↗
- →Time-based blind OS command injection detection: if a request with a shell-injected Host header causes a response delay of 7 or more seconds, the target is likely vulnerable. ↗
- →Shodan and FOFA queries for exposed pfBlockerNG instances can be used to identify internet-facing targets: query string is "pfBlockerNG". ↗
- ·Exploitation requires sending an 'unsafe' raw HTTP request (non-RFC-compliant Host header with shell metacharacters). Standard HTTP libraries will sanitize or reject such headers; a raw/unsafe HTTP client must be used for both attack and detection testing. ↗
- ·The vulnerability affects pfBlockerNG through version 2.1.4_27. The exploit flow requires a two-step check: first confirming the GIF endpoint is reachable, then sending the injected Host header. ↗
- ·This is a distinct vulnerability from CVE-2022-31814, which also involves pfBlockerNG OS command injection but via a different attack vector. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
pfSense pfBlockerNG - OS Command Injection
nuclei·CVSS 9.8
CVE-2022-40624 [CRITICAL] pfSense pfBlockerNG - OS Command Injection
pfSense pfBlockerNG - OS Command Injection
pfSense pfBlockerNG through 2.1.4_27 allows remote attackers to execute arbitrary OS commands as root via the HTTP Host header.
Template:
id: CVE-2022-40624
info:
name: pfSense pfBlockerNG - OS Command Injection
author: ritikchaddha
severity: critical
description: |
pfSense pfBlockerNG through 2.1.4_27 allows remote attackers to execute arbitrary OS commands as root via the HTTP Host header.
impact: |
Allows remote attackers to execute arbitrary code on the affected system
remediation: |
Update to the latest version of pfSense pfBlockerNG to mitigate CVE-2022-40624
reference:
- https://github.com/dhammon/pfBlockerNg-CVE-2022-40624
- https://nvd.nist.gov/vuln/detail/CVE-2022-40624
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C
No writeups or analysis indexed.
https://docs.netgate.com/pfsense/en/latest/packages/pfblocker.htmlhttps://github.com/dhammon/pfBlockerNg-CVE-2022-40624https://github.com/dhammon/pfBlockerNg-RCEhttps://docs.netgate.com/pfsense/en/latest/packages/pfblocker.htmlhttps://github.com/dhammon/pfBlockerNg-CVE-2022-40624https://github.com/dhammon/pfBlockerNg-RCE
2022-12-20
Published