Ubiquiti Networks, a maker of networking gear for service providers, has been since November dealing with a critical command-injection vulnerability in the administration interface of more than 40 of its products.
Researchers at SEC Consult went public with the issue this week after privately disclosing the flaw to the vendor via its HackerOne bug bounty program. According to a timeline published by the researchers, Ubiquiti initially marked the issue as a duplicate, then promised a patch in a future stable release, but has yet to deliver.
A post to a Reddit thread about the vulnerability from a Ubiquiti employee cited a communication breadown between the company’s internal ticket on the issue and the initial submission to HackerOne.
“We’re reviewing the process of getting updates from our internal ticket system back to HackerOne reporters, to ensure that doesn’t happen in the future. And making sure all updates back from submitters make it to the appropriate development team,” the post said. “Agree this looks very bad, but I can assure you the optics of this aren’t an accurate reflection of how security issue reports are handled. We did drop the ball in communication here, but it wasn’t due to the issue being ignored.”
A request for comment from Ubiquiti Networks was not returned in time for publication.
As egregious as the four-month wait for a patch is the fact that the root cause of the vulnerability is the use of a 20-year-old php script in the interface. According to SEC Consult, the vulnerability lives in the pingtest_action.cgi script, which is using PHP/FI 2.0.1 which was built in 1997.
“The vulnerability can be exploited by luring an attacked user to click on a crafted link or just surf on a malicious website,” SEC Consult said in its advisory. “The whole attack can be performed via a single GET-request and is very simple since there is no CSRF protection.”
SEC Consult previously disclosed the lack of cross-site request forgery and cross-site scripting protection in January. Most of the same Ubiquiti gear was impacted as well, and the vendor told SEC that it considered this a low-risk threat and had no estimate for a patch. The researchers went public with an advisory Jan. 30.
The command injection flaw exposes the Ubiquiti admin interfaceto a number of risky attacks, SEC Consult said. For example, an attacker could connect to a vulnerable device by opening a port binding or reverse shell, and also change the password because the service runs as root.
“Low privileged read-only users, which can be created in the web interface, are also able to perform this attack,” SEC Consult said. “If the Ubiquiti device acts as router or even as firewall, the attacker can take over the whole network by exploiting this vulnerability.”
The Reddit post, meanwhile, indicates that Ubiquiti is working on patches, and that the vulnerability has been addressed in AirOS 8.0.1, the operating system running in Ubiquiti airMAX products, and that additional patches were imminent.
