Security Firm Finds Command Injection Vulnerability in Ubiquiti Network Equipment

Security researchers at Austrian security firm SEC Consult have found a vulnerability in several Ubiquiti network devices that could allow an attacker to take over the device. The vulnerability has since been fixed through patches.

SEC Consult writes in an advisory that the vulnerability enables command injection in the administrative interface of some Ubiquiti devices. The leak is present in a script, which is vulnerable, among other things, because the PHP version used dates from 1997. An attacker could exploit the vulnerability by having a victim click a link or send it to a malicious website. That would only require a single GET request due to the lack of csrf protection.

Ultimately, an attacker could take over an entire network, in the event that the vulnerable device acts as a router or firewall. SEC Consult has published a list of potentially vulnerable devices in its message about the leak. The company discovered the vulnerability in November and notified Ubiquiti via HackerOne. This was followed by a lengthy back-and-forth, ultimately leading to still no news of a patch in January.

For example, Ubuquiti initially assumed that the report had already been received earlier. After no further communication, the security company decided to start publishing this week. The Register notes that Ubiquiti employee Chris Buechler on Reddit did respond to the leak. There he says that there was a ‘communication breakdown’ and that the leak has been fixed in version 8.0.1 of AirOS. For products with software versions 6.x, a patch was released on Friday. Ubiquiti Networks is an American company that supplies network equipment.

Demonstration of the leak