Ubiquiti Routing Products Vulnerable to Hijack due to Use of 20 Year Old Version of PHP

Discussion in 'HardForum Tech News' started by Zarathustra[H], Mar 17, 2017.

  1. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,023
    Joined:
    Oct 29, 2000
    Many of our pro-sumer readers, myself included, have come to like Ubiquiti Networks products over the years for their enterprise-like reliability and management capabilities, but their consumer-like pricing. I should know, I am one of them. The Reg has a story up that might cast some doubt on just how much we should trust them though.

    Apparently the web interface of a good chunk of Ubiquiti's routers rely on a version of PHP released in 1997, lacking in modern security features. This allows a command injection attack on the web interface. To be fair, this does rely on a user with credentials being logged in to the web interface, and at the same time clicking on a malicious link, but even so, leaving 20 year old known vulnerabilities open on your enterprise grade routing hardware seems somewhat inexcusable to me. You would think that a company marketing its products to enterprise customers would be a little bit more serious about security.

    You can find more details and a list of potentially affected hardware in SEC's Advisory.


    "This isn't the first time Ubiquiti customers have been left with an unfixed security cockup by their supplier. A previous flaw was finally patched by a third party back in 2015 after the company failed to fix it in time, despite proof of concept code being in wide circulation.

    Then again, security doesn't seem to be Ubiquiti's strong point. The firm lost $46.7m in 2015 when it fell prey to an invoice scammer and sent the money - most of which it couldn't recover - to banks in Asia. Ubiquiti's chief accounting officer resigned shortly afterwards."
     
  2. whateverer

    whateverer Gawd

    Messages:
    987
    Joined:
    Nov 2, 2016
    Wait, PHP is TWENTY YEARS OLD? I always thought it was a creation of the lazy 2000s.
     
    Zarathustra[H] likes this.
  3. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,023
    Joined:
    Oct 29, 2000
  4. Schtask

    Schtask Limp Gawd

    Messages:
    436
    Joined:
    Nov 29, 2011
    You would be surprised how many seemingly stable new technologies rock very outdated code.
     
    drescherjm and Zarathustra[H] like this.
  5. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,023
    Joined:
    Oct 29, 2000
    I have no problem with old code, as long as patches for any known security holes are backported.

    I still have a couple of things running secure old Linux 2.2 kernels.
     
  6. PeaKr

    PeaKr Gawd

    Messages:
    716
    Joined:
    Sep 6, 2004
    Yeah this is highly disturbing. Get your act together Ubiquity!
     
  7. Ultima99

    Ultima99 [H]ardness Supreme

    Messages:
    4,888
    Joined:
    Jul 31, 2004
    Time for some firmware updates! Hopefully this news spurs them into action, or at least a drop in sales that spurs them into action.
     
  8. wra18th

    wra18th [H]ardness Supreme

    Messages:
    7,765
    Joined:
    Nov 11, 2009
    For all the variables to exist at exactly the same time is unrealistic. But a vulnerability is a vulnerability. They have to fix it. Just think of all of those wireless hotspots sporting a Ubiquity WAP. This could be a disaster in the making if one of the ISP's employees goes rogue.
     
  9. Eickst

    Eickst [H]ard|Gawd

    Messages:
    1,821
    Joined:
    Aug 24, 2005
    I like ubiquiti stuff, however calling them enterprise grade is a bit of a stretch. I consider them prosumer at best
     
    Inglix_the_Mad, RealBeast and wra18th like this.
  10. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,023
    Joined:
    Oct 29, 2000
    That is certainly their target market, and they are heavily used in this market in countries in which Cisco gear can seem very expensive. When I was in Brazil I saw Unifi AP's in large businesses everywhere I went.

    In the U.S. it is probably correct to consider them pro-sumer, but they do try to market themselves at small to medium sized businesses, and would like to go after the full blown enterprise market.
     
  11. DocSavage

    DocSavage 2[H]4U

    Messages:
    2,409
    Joined:
    Dec 18, 2002
    I installed a bunch of Ubiquity WAPs where I work, but we don't have any of their routers.

    edit: However, we do have some PoE Toughswitches that also seem to be on the list. By default, you have to use a special management port to access the administrative interface, but you can change that in the settings to all the ports.

    After reading the draft, it looks like an attacker would need to know the device's IP address, and that sounds like a fat chance unless they are on your network doing detailed scans.
     
    Last edited: Mar 17, 2017
  12. DangerousMan

    DangerousMan Limp Gawd

    Messages:
    251
    Joined:
    Jan 16, 2006
    For those wondering, ubnt employees have responded to this over on the ubiquiti subreddit. Basically, the vulnerability was fixed in the upcoming update, and doesn't affect the unifi or edge line. They also state that they are fully aware that they dropped the ball when it came to communicating with the group that found the vulnerability.

    Edit: Here is the unofficial response;

    cbuechler
    22 points 1 day ago

    It's not as nearly bad as it looks from the timeline, but there was unfortunately a communication break down between our internal ticket on the issue and the HackerOne submission, and HackerOne<->dev team communication in general.

    We have a full time person dedicated to triage of HackerOne submissions, who verifies whether they're legit, and passes those that are on to the appropriate development team for resolution. When he started in November, there was a significant back log to get through, which is also about the time this report initially came in. Most of them end up being bunk, but they all are investigated.

    This issue was fixed in AirOS 8.0.1 and newer, and for v6.x products, it's in 6.0.1-BETA which will be released soon.

    We're reviewing the process of getting updates from our internal ticket system back to HackerOne reporters, to ensure that doesn't happen in the future. And making sure all updates back from submitters make it to the appropriate development team.

    Agree this looks very bad, but I can assure you the optics of this aren't an accurate reflection of how security issue reports are handled. We did drop the ball in communication here, but it wasn't due to the issue being ignored.

    Edit 2: Here is an official update;

    https://community.ubnt.com/t5/airMA...lnerability-Issue-Update-3-18-17/td-p/1869309
     
    Last edited: Mar 17, 2017
    Zareek likes this.
  13. Zareek

    Zareek Limp Gawd

    Messages:
    192
    Joined:
    Sep 5, 2011
    Only some countries think Cisco is too expensive? Nearly everyone thinks Cisco products are too expensive. They pay Anyway!

    Ubiquity WAPs are excellent in my experience. We have them at work, I bought one for at home even, reasonable price, excellent coverage, they just work. It's funny this came out, about a week ago, I was thinking about trying one of their EdgeRouters for my home network. Still might if they fix them!
     
  14. Zarathustra[H]

    Zarathustra[H] Official Forum Curmudgeon

    Messages:
    28,023
    Joined:
    Oct 29, 2000

    I'm with you, I have two Unifi WAP's at home.

    I think they are great, much better than any consumer solution I've ever used. I can't compare it to a Cisco AP though. I have no experience with them. I like enterprise gear for the home, but I am not an actual IT professional.

    I do know the Cisco units are damned expensive though...
     
  15. rudy

    rudy [H]ardForum Junkie

    Messages:
    8,577
    Joined:
    Apr 4, 2004
    I own ubiquity products like unifi and mfi. I get there place in the market but that company is a joke when it comes to software support. This isn't even remotely surprising to me yes once I got there products up and running they run well, no more resetting the router every day like Linksys, however getting it up and running or updating the product can be hell. Getting stuck using old versions of java is like their calling card. I think one of their big business tactics is just skimping out on developers. Also what is the point in great stable products if they are only good for a year or 2 before they drop support? I am sick of rolling my PCs java back to java 7 just because I switched networks and want to use the mpower pro.................... This stuff is designed for miniprise like environments, real small businesses are still too stupid to use this stuff, they would never get it running. So you have to be in a sweet spot where you dotn want to spring for cisco but you are stilling willing to do all the legwork to get their system running with all its senseless hacks and caveats.
     
  16. HammerSandwich

    HammerSandwich [H]ard|Gawd

    Messages:
    1,104
    Joined:
    Nov 18, 2004
    Important details there! The Register seriously exaggerated this one.
     
  17. longblock454

    longblock454 [H]ard|Gawd

    Messages:
    1,608
    Joined:
    Nov 28, 2004
    mFi is affected, looks like they are ignoring it. Several have asked on the Ubnt forums but they won't respond.