CVE-2022-26019 – This vulnerability allows authenticated remote ... (How to Fix)

Q: How do I fix CVE-2022-26019?

1. Log into pfSense web interface. 2. Navigate to System > Update. 3. Select 'Update' tab. 4. Click 'Confirm' to update to latest version. 5. Apply changes when prompted.

Q: What is the severity of CVE-2022-26019?

CVE-2022-26019 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated remote attackers with NTP GPS configuration privileges to overwrite files on pfSense systems, potentially leading to remote code execution. It affects pfSense CE versions before 2.6.0 and pfSense Plus versions before 22.01. Attackers need existing administrative access to the web interface to exploit this flaw.

📋 TL;DR

This vulnerability allows authenticated remote attackers with NTP GPS configuration privileges to overwrite files on pfSense systems, potentially leading to remote code execution. It affects pfSense CE versions before 2.6.0 and pfSense Plus versions before 22.01. Attackers need existing administrative access to the web interface to exploit this flaw.

💻 Affected Systems

Products:

pfSense CE
pfSense Plus

Versions: pfSense CE < 2.6.0, pfSense Plus < 22.01

Operating Systems: FreeBSD-based

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have administrative access to the web interface with NTP GPS configuration privileges. Not exploitable by unauthenticated users.

📦 What is this software?

Pfsense by Netgate

View all CVEs affecting Pfsense →

Pfsense Plus by Netgate

View all CVEs affecting Pfsense Plus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with root-level arbitrary command execution, allowing complete control of the firewall/router, data exfiltration, and lateral movement into connected networks.

🟠

Likely Case

Privilege escalation from limited administrative access to full system control, configuration manipulation, and persistence establishment on the firewall device.

🟢

If Mitigated

Limited to NTP GPS configuration changes only, with no file system access or command execution capabilities.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access to the web interface with specific privileges. The vulnerability involves improper path validation in NTP GPS configuration functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: pfSense CE 2.6.0, pfSense Plus 22.01

Vendor Advisory: https://docs.netgate.com/downloads/pfSense-SA-22_01.webgui.asc

Restart Required: No

Instructions:

1. Log into pfSense web interface. 2. Navigate to System > Update. 3. Select 'Update' tab. 4. Click 'Confirm' to update to latest version. 5. Apply changes when prompted.

🔧 Temporary Workarounds

Restrict NTP GPS Configuration Access

all

Remove NTP GPS configuration privileges from administrative users who don't require them.

Network Segmentation

all

Restrict access to pfSense web interface to trusted management networks only.

🧯 If You Can't Patch

Implement strict access controls to limit which administrators can modify NTP GPS settings
Monitor for unusual file system modifications and NTP configuration changes

🔍 How to Verify

Check if Vulnerable:

Check pfSense version via web interface Dashboard or CLI: pfSense-version

Check Version:

pfSense-version

Verify Fix Applied:

Verify version is pfSense CE >= 2.6.0 or pfSense Plus >= 22.01

📡 Detection & Monitoring

Log Indicators:

Unauthorized NTP GPS configuration changes
Unexpected file modifications in system directories
Web interface authentication from unusual sources

Network Indicators:

Unusual outbound connections from pfSense device
Unexpected configuration changes to NTP services

SIEM Query:

source="pfSense" AND (event_type="config_change" AND config_item="ntp" OR event_type="file_modification" AND file_path CONTAINS "/etc/")

📊 Metadata

CVE ID: CVE-2022-26019

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: March 31, 2022

Last Updated: November 21, 2024

🔗 References

https://docs.netgate.com/downloads/pfSense-SA-22_01.webgui.asc Mitigation,Patch,Vendor Advisory
https://jvn.jp/en/jp/JVN87751554/index.html Patch,Third Party Advisory
https://docs.netgate.com/downloads/pfSense-SA-22_01.webgui.asc Mitigation,Patch,Vendor Advisory
https://jvn.jp/en/jp/JVN87751554/index.html Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-26019, you might also want to check these: