We actually use Ubiquiti Wi-Fi Gear and have found it pretty good, I didn’t realise their security was so whack and they were using PHP 2.0.1 from 1997! In this case a malicious URL can inject commands into a Ubiquiti device which surprise, surprise, runs the web service as root.
Apparently, they also got scammed for $46.7 MILLION dollars by some invoice scammer in 2015 – not the sharpest tools in the shed for sure. And the way the app is engineered is so far from best practise I don’t think it’s even read a security 101 on it’s way to production.
Security researchers have gone public with details of an exploitable flaw in Ubiquiti’s wireless networking gear – after the manufacturer allegedly failed to release firmware patches.
Austrian-based bods at SEC Consult Vulnerability Lab found the programming cockup in November and contacted Ubiquiti – based in San Jose, California – via its HackerOne-hosted bug bounty program. Ubiquiti first denied this was a new bug, then accepted it, then stalled issuing a patch, we’re told. After repeated warnings, SEC has now shed light on the security shortcomings.
Essentially, if you can trick someone using a Ubiquiti gateway or router to click on a malicious link, or embed the URL in a webpage they visit, you can inject commands into the vulnerable device. The networking kit uses a web interface to administer it, and has zero CSRF protection. This means attackers can perform actions as logged-in users.
A hacker can exploit this blunder to open a reverse shell to connect to a Ubiquiti router and gain root access – yes, the builtin web server runs as root. SEC claims that once inside, the attacker can then take over the entire network. And you can thank a very outdated version of PHP included with the software, we’re told.
To be fair, Ubiquiti Wi-Fi Gear is pretty cheap, has good specs and generally works really well. Other than in this case, when it gets mercilessly hacked and some bad actor takes over your entire organisation.
That clearly would not be good.
“A command injection vulnerability was found in ‘pingtest_action.cgi.’ This script is vulnerable since it is possible to inject a value of a variable. One of the reasons for this behavior is the used PHP version (PHP/FI 2.0.1 from 1997),” SEC’s advisory today states.
“The vulnerability can be exploited by luring an attacked user to click on a crafted link or just surf on a malicious website. The whole attack can be performed via a single GET-request and is very simple since there is no CSRF protection.”
The SEC team tested the attack against four Ubiquiti devices, and believes another 38 models are similarly vulnerable. All the affected equipment, according to SEC, is listed in the above advisory. Proof-of-concept exploits were not published as there is still no patch available for the insecure firmware.
Ubiquiti had no comment at time of publication.
This isn’t the first time Ubiquiti customers have been left with an unfixed security cockup by their supplier. A previous flaw was finally patched by a third party back in 2015 after the company failed to fix it in time, despite proof of concept code being in wide circulation.
The flaw is not patched and sadly Ubiquiti hasn’t commented about it nor issued any kind of statement regarding the expectations of its users.
It’s pretty likely all Ubiquiti devices are vulnerable to this, so if you use them – be aware.
There’s enough details in this disclosure for a determined attacker to build their own zero-day.
The full advisory is here: Authenticated Command Injection
UPDATE: Only certain AirOS versions are vulnerable this means UniFi, EdgeMAX and AmpliFi products are not affected.This issue is limited to AirOS and associated products like toughswitch, airgateway etc) and patches have already been released by Ubiquiti as of today.
Source: The Register