Ubiquiti network gear can be 'hijacked by an evil URL' – thanks to its 20-year-old PHP build
And, nope, no patch
Updated Security researchers have gone public with details of an exploitable flaw in Ubiquiti's wireless networking gear – after the manufacturer allegedly failed to release firmware patches.
Austrian-based bods at SEC Consult Vulnerability Lab found the programming cockup in November and contacted Ubiquiti – based in San Jose, California – via its HackerOne-hosted bug bounty program. Ubiquiti first denied this was a new bug, then accepted it, then stalled issuing a patch, we're told. After repeated warnings, SEC has now shed light on the security shortcomings.
Essentially, if you can trick someone using a Ubiquiti gateway or router to click on a malicious link, or embed the URL in a webpage they visit, you can inject commands into the vulnerable device. The networking kit uses a web interface to administer it, and has zero CSRF protection. This means attackers can perform actions as logged-in users.
A hacker can exploit this blunder to open a reverse shell to connect to a Ubiquiti router and gain root access – yes, the builtin web server runs as root. SEC claims that once inside, the attacker can then take over the entire network. And you can thank a very outdated version of PHP included with the software, we're told.
"A command injection vulnerability was found in 'pingtest_action.cgi.' This script is vulnerable since it is possible to inject a value of a variable. One of the reasons for this behavior is the used PHP version (PHP/FI 2.0.1 from 1997)," SEC's advisory today states.
"The vulnerability can be exploited by luring an attacked user to click on a crafted link or just surf on a malicious website. The whole attack can be performed via a single GET-request and is very simple since there is no CSRF protection."
Here's a video of an example exploitation:
The SEC team found the security hole in four Ubiquiti devices, and believes another 40 or so models are similarly vulnerable. All the affected equipment is listed in the above advisory. This includes, and certainly not limited to, the ToughSwitch TS‑8‑PRO, Rocket M5, PicoStation M2HP, and NanoStation M5, plus various airFiber and airGateway models, PowerBeam devices, and LiteBeam boxes.
Proof-of-concept exploits were not published as there is still no patch available for the insecure firmware, SEC Consult said. Ubiquiti had no comment at time of publication.
This isn't the first time Ubiquiti customers have been left with an unfixed security cockup by their supplier. A previous flaw was finally patched by a third party back in 2015 after the company failed to fix it in time, despite proof of concept code being in wide circulation.
Then again, security doesn't seem to be Ubiquiti's strong point. The firm lost $46.7m in 2015 when it fell prey to an invoice scammer and sent the money – most of which it couldn't recover – to banks in Asia. Ubiquiti's chief accounting officer resigned shortly afterwards. ®
Updated to add
Ubiquiti staff still haven't got back to us nor SEC Consult, but they have managed to point their browsers at Reddit and grovel to customers. "There was unfortunately a communication breakdown," said Chris Buechler, a cofounder of pfSense now working at Ubiquiti. He added that the issue was fixed in AirOS 8.0.1, quietly released in February, and a 6.0.1 release addressing the issue is coming soon. Presumably the ToughSwitch Pro firmware and other vulnerable software will be updated too.
Ubiquiti has seemingly installed a working email client. A spokesperson sent us the following on Friday, a day after the above story was published:
Sorry about the delayed response. We take network security very seriously and are in the process of fixing this vulnerability for all products affected. We have already released updates that resolve the issue for 37 out of the 44 products mentioned by SEC Consult (the first update for airMAX 11ac products was released on February 3, 2017) and we are very close to releasing another update for the remaining seven products mentioned in the report. Once this update is released, we will inform our customers through a newsletter to remind them to update their firmware. We are also improving our vetting process for security issue reports to speed up our response time.
Sponsored: Becoming a Pragmatic Security Leader