Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Critical Flaw Exposes Many Ubiquiti Devices to Attacks

Dozens of products from Ubiquiti Networks are affected by a critical flaw that can be exploited to hijack devices. The security hole was reported to the vendor in November, but patches have yet to be released for most of the impacted versions.

Dozens of products from Ubiquiti Networks are affected by a critical flaw that can be exploited to hijack devices. The security hole was reported to the vendor in November, but patches have yet to be released for most of the impacted versions.

The vulnerability, discovered by researchers at SEC Consult, has been described as a command injection in the administration interface of Ubiquiti devices. The weakness affects the pingtest_action.cgi component and it’s partly caused by the use of a very old version of PHP, namely PHP 2.0.1 from 1997.

The flaw can be exploited by authenticated attackers from a low privileged read-only account, or remotely by unauthenticated hackers if they can trick a user into clicking on a specially crafted link. The remote attack works due to the lack of cross-site request forgery (CSRF) protection, SEC Consult said in its advisory.

An attacker can exploit the vulnerability to open a reverse root shell and take over the device. Depending on what the device is used for, it may also be possible for an attacker to hijack other machines on the network.

According to SEC Consult, the flaw affects roughly 40 Ubiquiti access points, including Rocket Prism, PowerBeam, NanoBeam, LiteBeam, airGateway and airFiber products.

The security firm reported the vulnerability to Ubiquiti Networks on November 22 via the vendor’s HackerOne page. The company was initially responsive, but it stopped providing status updates in early February, which led to SEC Consult’s decision to make its findings public.

SEC Consult has published a video demonstrating its findings, but only limited technical details have been made available to prevent abuse:

Advertisement. Scroll to continue reading.

After SEC Consult published its advisory, an Ubiquiti employee responded to users on Reddit, claiming that the company stopped responding to the researchers due to a communications issue with the HackerOne platform.

The company said the vulnerability was fixed in version 8.0.1 of AirOS, the operating system running on affected products. It has also promised to release updates soon for versions 5.x, 6.x ad 7.x.

“Agree this looks very bad, but I can assure you the optics of this aren’t an accurate reflection of how security issue reports are handled,” said the Ubiquiti employee. “We did drop the ball in communication here, but it wasn’t due to the issue being ignored.”

UPDATE. Ubiquiti has sent SecurityWeek the following statement:

We take network security very seriously and are in the process of fixing this vulnerability for all products affected. We have already released updates that resolve the issue for 37 out of the 44 products mentioned by SEC Consult (the first update for airMAX 11ac products was released on February 3, 2017) and we are very close to releasing another update for the remaining 7 products mentioned in the report. Once this update is released, we will inform our customers through a newsletter to remind them to update their firmware. We are also improving our vetting process for security issue reports to speed up our response time.

Related: Worm Infects Many Ubiquiti Devices via Old Vulnerability

Related: Reuse of Cryptographic Keys Exposes Millions of IoT Devices

Related: Flaw Allows Hackers to Find Ubiquiti Devices Exposed to Web

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.