Ubiquiti Routing Products Vulnerable to Hijack due to Use of 20 Year Old Version of PHP

Zarathustra[H]

Fully [H]
Joined
Oct 29, 2000
Messages
31,896
Many of our pro-sumer readers, myself included, have come to like Ubiquiti Networks products over the years for their enterprise-like reliability and management capabilities, but their consumer-like pricing. I should know, I am one of them. The Reg has a story up that might cast some doubt on just how much we should trust them though.

Apparently the web interface of a good chunk of Ubiquiti's routers rely on a version of PHP released in 1997, lacking in modern security features. This allows a command injection attack on the web interface. To be fair, this does rely on a user with credentials being logged in to the web interface, and at the same time clicking on a malicious link, but even so, leaving 20 year old known vulnerabilities open on your enterprise grade routing hardware seems somewhat inexcusable to me. You would think that a company marketing its products to enterprise customers would be a little bit more serious about security.

You can find more details and a list of potentially affected hardware in SEC's Advisory.


"This isn't the first time Ubiquiti customers have been left with an unfixed security cockup by their supplier. A previous flaw was finally patched by a third party back in 2015 after the company failed to fix it in time, despite proof of concept code being in wide circulation.

Then again, security doesn't seem to be Ubiquiti's strong point. The firm lost $46.7m in 2015 when it fell prey to an invoice scammer and sent the money - most of which it couldn't recover - to banks in Asia. Ubiquiti's chief accounting officer resigned shortly afterwards."
 

Zarathustra[H]

Fully [H]
Joined
Oct 29, 2000
Messages
31,896
You would be surprised how many seemingly stable new technologies rock very outdated code.

I have no problem with old code, as long as patches for any known security holes are backported.

I still have a couple of things running secure old Linux 2.2 kernels.
 

Ultima99

Supreme [H]ardness
Joined
Jul 31, 2004
Messages
4,905
Time for some firmware updates! Hopefully this news spurs them into action, or at least a drop in sales that spurs them into action.
 

wra18th

Supreme [H]ardness
Joined
Nov 11, 2009
Messages
7,989
For all the variables to exist at exactly the same time is unrealistic. But a vulnerability is a vulnerability. They have to fix it. Just think of all of those wireless hotspots sporting a Ubiquity WAP. This could be a disaster in the making if one of the ISP's employees goes rogue.
 

Zarathustra[H]

Fully [H]
Joined
Oct 29, 2000
Messages
31,896
I like ubiquiti stuff, however calling them enterprise grade is a bit of a stretch. I consider them prosumer at best

That is certainly their target market, and they are heavily used in this market in countries in which Cisco gear can seem very expensive. When I was in Brazil I saw Unifi AP's in large businesses everywhere I went.

In the U.S. it is probably correct to consider them pro-sumer, but they do try to market themselves at small to medium sized businesses, and would like to go after the full blown enterprise market.
 

DocSavage

2[H]4U
Joined
Dec 18, 2002
Messages
2,409
For all the variables to exist at exactly the same time is unrealistic. But a vulnerability is a vulnerability. They have to fix it. Just think of all of those wireless hotspots sporting a Ubiquity WAP. This could be a disaster in the making if one of the ISP's employees goes rogue.
I installed a bunch of Ubiquity WAPs where I work, but we don't have any of their routers.

edit: However, we do have some PoE Toughswitches that also seem to be on the list. By default, you have to use a special management port to access the administrative interface, but you can change that in the settings to all the ports.

After reading the draft, it looks like an attacker would need to know the device's IP address, and that sounds like a fat chance unless they are on your network doing detailed scans.
 
Last edited:

DangerousMan

Limp Gawd
Joined
Jan 16, 2006
Messages
250
For those wondering, ubnt employees have responded to this over on the ubiquiti subreddit. Basically, the vulnerability was fixed in the upcoming update, and doesn't affect the unifi or edge line. They also state that they are fully aware that they dropped the ball when it came to communicating with the group that found the vulnerability.

Edit: Here is the unofficial response;

cbuechler
22 points 1 day ago

It's not as nearly bad as it looks from the timeline, but there was unfortunately a communication break down between our internal ticket on the issue and the HackerOne submission, and HackerOne<->dev team communication in general.

We have a full time person dedicated to triage of HackerOne submissions, who verifies whether they're legit, and passes those that are on to the appropriate development team for resolution. When he started in November, there was a significant back log to get through, which is also about the time this report initially came in. Most of them end up being bunk, but they all are investigated.

This issue was fixed in AirOS 8.0.1 and newer, and for v6.x products, it's in 6.0.1-BETA which will be released soon.

We're reviewing the process of getting updates from our internal ticket system back to HackerOne reporters, to ensure that doesn't happen in the future. And making sure all updates back from submitters make it to the appropriate development team.

Agree this looks very bad, but I can assure you the optics of this aren't an accurate reflection of how security issue reports are handled. We did drop the ball in communication here, but it wasn't due to the issue being ignored.

Edit 2: Here is an official update;

https://community.ubnt.com/t5/airMA...lnerability-Issue-Update-3-18-17/td-p/1869309
 
Last edited:

Zareek

Limp Gawd
Joined
Sep 5, 2011
Messages
191
That is certainly their target market, and they are heavily used in this market in countries in which Cisco gear can seem very expensive. When I was in Brazil I saw Unifi AP's in large businesses everywhere I went.

In the U.S. it is probably correct to consider them pro-sumer, but they do try to market themselves at small to medium sized businesses, and would like to go after the full blown enterprise market.

Only some countries think Cisco is too expensive? Nearly everyone thinks Cisco products are too expensive. They pay Anyway!

Ubiquity WAPs are excellent in my experience. We have them at work, I bought one for at home even, reasonable price, excellent coverage, they just work. It's funny this came out, about a week ago, I was thinking about trying one of their EdgeRouters for my home network. Still might if they fix them!
 

Zarathustra[H]

Fully [H]
Joined
Oct 29, 2000
Messages
31,896
Only some countries think Cisco is too expensive? Nearly everyone thinks Cisco products are too expensive. They pay Anyway!

Ubiquity WAPs are excellent in my experience. We have them at work, I bought one for at home even, reasonable price, excellent coverage, they just work. It's funny this came out, about a week ago, I was thinking about trying one of their EdgeRouters for my home network. Still might if they fix them!


I'm with you, I have two Unifi WAP's at home.

I think they are great, much better than any consumer solution I've ever used. I can't compare it to a Cisco AP though. I have no experience with them. I like enterprise gear for the home, but I am not an actual IT professional.

I do know the Cisco units are damned expensive though...
 

rudy

[H]F Junkie
Joined
Apr 4, 2004
Messages
8,700
I own ubiquity products like unifi and mfi. I get there place in the market but that company is a joke when it comes to software support. This isn't even remotely surprising to me yes once I got there products up and running they run well, no more resetting the router every day like Linksys, however getting it up and running or updating the product can be hell. Getting stuck using old versions of java is like their calling card. I think one of their big business tactics is just skimping out on developers. Also what is the point in great stable products if they are only good for a year or 2 before they drop support? I am sick of rolling my PCs java back to java 7 just because I switched networks and want to use the mpower pro.................... This stuff is designed for miniprise like environments, real small businesses are still too stupid to use this stuff, they would never get it running. So you have to be in a sweet spot where you dotn want to spring for cisco but you are stilling willing to do all the legwork to get their system running with all its senseless hacks and caveats.
 
Top