Critical Flaw Exposes Many Ubiquiti Devices to Attacks

Dozens of products from Ubiquiti Networks are affected by a critical flaw that can be exploited to hijack devices. The security hole was reported to the vendor in November, but patches have yet to be released for most of the impacted versions.

The vulnerability, discovered by researchers at SEC Consult, has been described as a command injection in the administration interface of Ubiquiti devices. The weakness affects the pingtest_action.cgi component and it’s partly caused by the use of a very old version of PHP, namely PHP 2.0.1 from 1997.

The flaw can be exploited by authenticated attackers from a low privileged read-only account, or remotely by unauthenticated hackers if they can trick a user into clicking on a specially crafted link. The remote attack works due to the lack of cross-site request forgery (CSRF) protection, SEC Consult said in its advisory.

An attacker can exploit the vulnerability to open a reverse root shell and take over the device. Depending on what the device is used for, it may also be possible for an attacker to hijack other machines on the network.

According to SEC Consult, the flaw affects roughly 40 Ubiquiti access points, including Rocket Prism, PowerBeam, NanoBeam, LiteBeam, airGateway and airFiber products.

The security firm reported the vulnerability to Ubiquiti Networks on November 22 via the vendor’s HackerOne page. The company was initially responsive, but it stopped providing status updates in early February, which led to SEC Consult’s decision to make its findings public.

SEC Consult has published a video demonstrating its findings, but only limited technical details have been made available to prevent abuse:

After SEC Consult published its advisory, an Ubiquiti employee responded to users on Reddit, claiming that the company stopped responding to the researchers due to a communications issue with the HackerOne platform.

The company said the vulnerability was fixed in version 8.0.1 of AirOS, the operating system running on affected products. It has also promised to release updates soon for versions 5.x, 6.x ad 7.x.

“Agree this looks very bad, but I can assure you the optics of this aren’t an accurate reflection of how security issue reports are handled,” said the Ubiquiti employee. “We did drop the ball in communication here, but it wasn’t due to the issue being ignored.”

UPDATE. Ubiquiti has sent SecurityWeek the following statement:

We take network security very seriously and are in the process of fixing this vulnerability for all products affected. We have already released updates that resolve the issue for 37 out of the 44 products mentioned by SEC Consult (the first update for airMAX 11ac products was released on February 3, 2017) and we are very close to releasing another update for the remaining 7 products mentioned in the report. Once this update is released, we will inform our customers through a newsletter to remind them to update their firmware. We are also improving our vetting process for security issue reports to speed up our response time.

Related: Worm Infects Many Ubiquiti Devices via Old Vulnerability

Related: Reuse of Cryptographic Keys Exposes Millions of IoT Devices

Related: Flaw Allows Hackers to Find Ubiquiti Devices Exposed to Web