CVE-2019-12585
📋 TL;DR
CVE-2019-12585 is an arbitrary command execution vulnerability in apcupsd_status.php in Apcupsd 0.3.91_5, allowing attackers to execute system commands with root privileges. This affects pfSense through version 2.4.4-RELEASE-p3 and other products using this vulnerable version of Apcupsd. The vulnerability stems from improper input validation in the web interface component.
💻 Affected Systems
- pfSense
- Apcupsd
📦 What is this software?
Apcupsd by Apcupsd
Pfsense by Netgate
Pfsense by Netgate
Pfsense by Netgate
Pfsense by Netgate
Pfsense by Netgate
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with root-level command execution, allowing attackers to install malware, exfiltrate data, pivot to other systems, or disrupt critical infrastructure.
Likely Case
Unauthenticated remote code execution leading to system takeover, credential theft, and lateral movement within the network.
If Mitigated
Limited impact with proper network segmentation, web application firewalls, and restricted user privileges preventing full system compromise.
🎯 Exploit Status
Exploitation requires access to the web interface. Multiple public proof-of-concept exploits exist demonstrating command injection via crafted HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: pfSense 2.4.4-RELEASE-p4 and later, Apcupsd versions after 0.3.91_5
Vendor Advisory: https://redmine.pfsense.org/issues/9556
Restart Required: Yes
Instructions:
1. Update pfSense to version 2.4.4-RELEASE-p4 or later via System > Update. 2. For standalone Apcupsd, update to the latest version from the official repository. 3. Restart the apcupsd service and web interface.
🔧 Temporary Workarounds
Disable apcupsd web interface
allTemporarily disable the vulnerable web component until patching is possible
service apcupsd stop
chmod 000 /usr/local/www/apcupsd_status.php
Network access restriction
allRestrict access to the apcupsd web interface using firewall rules
pfctl -t apcupsd -T add 192.168.1.0/24
iptables -A INPUT -p tcp --dport 80 -s trusted_network -j ACCEPT
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems from critical assets
- Deploy web application firewall (WAF) rules to block command injection patterns
🔍 How to Verify
Check if Vulnerable:
Check pfSense version via System > Version or run 'cat /etc/version' on CLI. For Apcupsd, check version with 'apcaccess -v' or examine package version.Check Version:
cat /etc/version | grep -E '2\.4\.4-RELEASE-p[0-3]'Verify Fix Applied:
Verify pfSense version is 2.4.4-RELEASE-p4 or later. Test the apcupsd_status.php endpoint with safe input validation tests.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in apcupsd logs
- HTTP requests to apcupsd_status.php with shell metacharacters
- System logs showing unexpected process execution from web user
Network Indicators:
- HTTP POST/GET requests to apcupsd_status.php containing pipe characters, semicolons, or backticks
- Outbound connections from pfSense to unexpected destinations
SIEM Query:
source="apcupsd.log" AND ("|" OR ";" OR "`" OR "$(")🔗 References
- https://ctrsec.io/index.php/2019/05/28/cve-2019-12584-12585-command-injection-vulnerability-on-pfsense-2-4-4-release-p3/
- https://github.com/pfsense/FreeBSD-ports/commit/b492c0ea47aba8dde2f14183e71498ba207594e3
- https://redmine.pfsense.org/issues/9556
- https://ctrsec.io/index.php/2019/05/28/cve-2019-12584-12585-command-injection-vulnerability-on-pfsense-2-4-4-release-p3/
- https://github.com/pfsense/FreeBSD-ports/commit/b492c0ea47aba8dde2f14183e71498ba207594e3
- https://redmine.pfsense.org/issues/9556
