Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Ubiquiti Patches Critical Flaw Allowing Device and Network Takeover

Ubiquiti Networks, which makes networking gear for service providers, is in the process of patching a critical flaw that affects more than 40 of its products.

The vulnerability is a critical command-injection issue in the administration interface of Ubiquiti gear, according to researchers at SEC Consult. The vulnerability can be exploited by luring an attacked user to click on a crafted link or just surf on a malicious website. Once this is successful, an attacker can open a port binding or reverse shell to connect to the device, and is also able to change the "passwd" since the web service runs with root privileges. Worse, if the Ubiquiti device acts as router or even as firewall, the attacker can take over the whole network by exploiting this vulnerability.

The vendor, having been alerted to the issue in November via its HackerOne bug bounty program, originally inadvertently dismissed the issue thanks to a miscommunication. However, now it has patched 37 of the 44 affected products (with an update issued Feb. 3 for the airMAX 11ac). The remaining issues will soon get patches as well.  

“We take network security very seriously and are in the process of fixing this vulnerability for all products affected,” the company told Kaspersky Lab’s Threatpost. “Once this update is released, we will inform our customers through a newsletter to remind them to update their firmware. We are also improving our vetting process for security issue reports to speed up our response time.”

SEC said the vulnerability was found in a specific script, which uses 20-year-old code.

This is “vulnerable since it is possible to inject a value of a variable. One of the reasons for this behavior is the used PHP version (…from 1997).” The firm added that “the whole attack can be performed via a single GET-request and is very simple since there is no CSRF protection. Furthermore, low privileged read-only users, which can be created in the web interface, are also able to perform this attack.”

Administrators are urged to apply the available patches immediately.

What’s Hot on Infosecurity Magazine?