Some Ubiquiti network device models can be hacked thanks to an unpatched vulnerability, allowing attackers to gain control over the device, or use it as a pivot point in the victim’s network to hack other nearby equipment.
Discovered by security researchers from SEC Consult, the flaw is currently unpatched after communications between SEC Consult and Ubiquiti broke down in early January.
The researchers said they discovered the flaw last fall and informed Ubiquiti engineers in November, but they hadn’t heard back since January when they inquired about the bug’s patch status.
Flaw is hard to exploit, but not impossible
According to SEC Consult experts, the firmware of various Ubiquiti Networks devices contains a command injection vulnerability that allows attackers to alter the device’s internal code.
There is good and bad news. The good news is that the flaw can be exploited only by a logged in user only. The bad news is that there’s a secondary flaw in the firmware which allows for CSRF attacks. CSRF vulnerabilities allow attackers to fake user actions.
According to SEC Consult researchers, attackers only have to trick a Ubiquiti device owner into accessing a malicious website. Malicious code on this website accesses the Ubiquiti device admin panel on his behalf and performs the attack behind the user’s back.
Ubiquiti devices use 20-year-old PHP version
The vulnerability is possible because of bad firmware coding, but also because Ubiquiti used an ancient PHP version to power the device’s built-in server. The PHP version is 2.0.1, released way back in 1997, 20 years ago, and lacking many security protections included in modern PHP versions.
SEC Consult experts say they’ve tested their attack on four Ubiquiti devices, but 38 other models are also affected, at least at the theoretical level.