LinkedIn infosec bod proffers DIY Ubiquiti fix for automation zero day
WiFi men prefer blog-snuffing to patching.
LinkedIn application Security Luca Carettoni has proffered a homebrew patch to close off a dangerous zero day hole that allows remote attackers to hijack home automation Ubiquiti mFi controllers.
The holes in the automation systems remain officially unpatched despite working exploit code and vulnerability details being published and remaining accessible.
Carettoni says the patch is a simple fix that Ubiquiti should have rushed out after the initial quiet disclosure was made in July.
Ubiquiti has been contacted for comment.
After posting to the Securteam blog and Reddit on 3 September, the vulnerability and exploit details was quickly removed by the SecuriTeam researchers.
However, the full vulnerability details and exploit code remains aggregated on third party sites easily accessible through Google.
"It is reasonable to assume that the security flaw can be easily abused by unsophisticated attackers," Carettoni says
"... a quick search on Google is sufficient to find the exploit for this bug. Despite the public exposure, Ubiquiti has yet to publish a patch.
"After waiting patiently for a few weeks, I created my own patch."
The mFiPatchMe fix took the application security man about an hour to brew without having any knowledge of the Ubiquiti codebase.
While the patch is said to work, punters wear the risk should anything go awry.
SecuriTeam researchers describe how the mFi authentication mechanism can be bypassed.
"Ubiquiti Networks mFi Controller Server installs a web management interface which … offers a login screen where only the administrator user can monitor and control remotely the configured devices," they say.
"Because of two errors inside the underlying (redacted) class, it is possible to bypass the authentication mechanism.
"... a remote attacker could then login and perform unauthorised operations as administrator through the secure web interface."
SecuriTeam says in the scuppered disclosure that Ubiquiti runs its bugs through HackerOne.
The researchers say they submitted through that bug bounty program and again via email, dropping the full disclosure after receiving no response nor patch. ®