Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Ubiquiti network gear can be 'hijacked by an evil URL' – thanks to its 20-year-old PHP build

And, nope, no patch

Updated Security researchers have gone public with details of an exploitable flaw in Ubiquiti's wireless networking gear – after the manufacturer allegedly failed to release firmware patches.

Austrian-based bods at SEC Consult Vulnerability Lab found the programming cockup in November and contacted Ubiquiti – based in San Jose, California – via its HackerOne-hosted bug bounty program. Ubiquiti first denied this was a new bug, then accepted it, then stalled issuing a patch, we're told. After repeated warnings, SEC has now shed light on the security shortcomings.

Essentially, if you can trick someone using a Ubiquiti gateway or router to click on a malicious link, or embed the URL in a webpage they visit, you can inject commands into the vulnerable device. The networking kit uses a web interface to administer it, and has zero CSRF protection. This means attackers can perform actions as logged-in users.

A hacker can exploit this blunder to open a reverse shell to connect to a Ubiquiti router and gain root access – yes, the builtin web server runs as root. SEC claims that once inside, the attacker can then take over the entire network. And you can thank a very outdated version of PHP included with the software, we're told.

"A command injection vulnerability was found in 'pingtest_action.cgi.' This script is vulnerable since it is possible to inject a value of a variable. One of the reasons for this behavior is the used PHP version (PHP/FI 2.0.1 from 1997)," SEC's advisory today states.

"The vulnerability can be exploited by luring an attacked user to click on a crafted link or just surf on a malicious website. The whole attack can be performed via a single GET-request and is very simple since there is no CSRF protection."

Here's a video of an example exploitation:

Youtube Video

The SEC team found the security hole in four Ubiquiti devices, and believes another 40 or so models are similarly vulnerable. All the affected equipment is listed in the above advisory. This includes, and certainly not limited to, the ToughSwitch TS‑8‑PRO, Rocket M5, PicoStation M2HP, and NanoStation M5, plus various airFiber and airGateway models, PowerBeam devices, and LiteBeam boxes.

Proof-of-concept exploits were not published as there is still no patch available for the insecure firmware, SEC Consult said. Ubiquiti had no comment at time of publication.

This isn't the first time Ubiquiti customers have been left with an unfixed security cockup by their supplier. A previous flaw was finally patched by a third party back in 2015 after the company failed to fix it in time, despite proof of concept code being in wide circulation.

Then again, security doesn't seem to be Ubiquiti's strong point. The firm lost $46.7m in 2015 when it fell prey to an invoice scammer and sent the money – most of which it couldn't recover – to banks in Asia. Ubiquiti's chief accounting officer resigned shortly afterwards. ®

Updated to add

Ubiquiti staff still haven't got back to us nor SEC Consult, but they have managed to point their browsers at Reddit and grovel to customers. "There was unfortunately a communication breakdown," said Chris Buechler, a cofounder of pfSense now working at Ubiquiti. He added that the issue was fixed in AirOS 8.0.1, quietly released in February, and a 6.0.1 release addressing the issue is coming soon. Presumably the ToughSwitch Pro firmware and other vulnerable software will be updated too.

Another update

Ubiquiti has seemingly installed a working email client. A spokesperson sent us the following on Friday, a day after the above story was published:

Sorry about the delayed response. We take network security very seriously and are in the process of fixing this vulnerability for all products affected. We have already released updates that resolve the issue for 37 out of the 44 products mentioned by SEC Consult (the first update for airMAX 11ac products was released on February 3, 2017) and we are very close to releasing another update for the remaining seven products mentioned in the report. Once this update is released, we will inform our customers through a newsletter to remind them to update their firmware. We are also improving our vetting process for security issue reports to speed up our response time.

Similar topics

TIP US OFF

Send us news


Other stories you might like