Security Flaw Discovered in Ubiquiti Wireless Gear

Security Flaw Discovered in Ubiquiti Wireless GearNote: Ubiquiti has since issued a fix for the vulnerability. Find that here.

Recently, security researchers have announced the details of an exploitable flaw in Ubiquiti’s wireless networking gear following the manufacturer’s failure to release a firmware patch. The researchers at Austria’s SEC Consult Vulnerability Lab discovered the programming error in November and reached out to Ubiquiti through its HackerOne hosted big bounty program. At first, Ubiquiti denied that this was a new bug but later accepted it. While the manufacturer began working on a patch, Ubiquiti stalled during development. After repeated warnings regarding the bug, SEC decided to go public with the security concerns.

With this bug, hackers can trick someone using a Ubiquiti gateway or router into clicking on a malicious link, or embed the URL in a webpage they visit. From there, the hacker could inject commands into the vulnerable device. The networking kit uses the web interface to administer the it and lacks CSRF protection meaning that hackers can perform actions as logged-in users. With this vulnerability, attackers can open a reverse shell to establish a connection to a Ubiquiti router and gain root access. The SEC Lab says that once the hacker is inside, the entire network is vulnerable due to a very outdated version (20 years old…) of PHP included in the software.

“A command injection vulnerability was found in ‘pingtest_action.cgi.’ This script is vulnerable since it is possible to inject a value of a variable. One of the reasons for this behavior is the used PHP version (PHP/FI 2.0.1 from 1997),” SEC’s advisory today states.

“The vulnerability can be exploited by luring an attacked user to click on a crafted link or just surf on a malicious website. The whole attack can be performed via a single GET-request and is very simple since there is no CSRF protection.”

SEC tested the attack against four Ubiquiti devices, suspects that another 38 models are similarly vulnerable. Each of the vulnerable devices are listed in the advisory. Proof of Concept exploits, however, were not published and firmware patch still isn’t available for the devices.

Note: Ubiquiti has since issued a fix for the vulnerability. Find that here.

Follow Doug

Doug Atkinson

President at Solutions Review
An entrepreneur and executive with a passion for enterprise technology, Doug founded Solutions Review in 2012. He has previously served as a newspaper boy, a McDonald's grill cook, a bartender, a political consultant, a web developer, the VP of Sales for e-Dialog - a digital marketing agency - and as Special Assistant to Governor William Weld of Massachusetts.
Follow Doug