Ubiquiti Devices Exposed to Hacking via 20-Years-Old PHP Version

Share this…

Some Ubiquiti network device models can be hacked thanks to an unpatched vulnerability, allowing attackers to gain control over the device, or use it as a pivot point in the victim’s network to hack other nearby equipment.

Discovered by security researchers from SEC Consult, the flaw is currently unpatched after communications between SEC Consult and Ubiquiti broke down in early January.

The researchers said they discovered the flaw last fall and informed Ubiquiti engineers in November, but they hadn’t heard back since January when they inquired about the bug’s patch status.

Flaw is hard to exploit, but not impossible

According to SEC Consult experts, the firmware of various Ubiquiti Networks devices contains a command injection vulnerability that allows attackers to alter the device’s internal code.

There is good and bad news. The good news is that the flaw can be exploited only by a logged in user only. The bad news is that there’s a secondary flaw in the firmware which allows for CSRF attacks. CSRF vulnerabilities allow attackers to fake user actions.

According to SEC Consult researchers, attackers only have to trick a Ubiquiti device owner into accessing a malicious website. Malicious code on this website accesses the Ubiquiti device admin panel on his behalf and performs the attack behind the user’s back.

Ubiquiti devices use 20-year-old PHP version

The vulnerability is possible because of bad firmware coding, but also because Ubiquiti used an ancient PHP version to power the device’s built-in server. The PHP version is 2.0.1, released way back in 1997, 20 years ago, and lacking many security protections included in modern PHP versions.

SEC Consult experts say they’ve tested their attack on four Ubiquiti devices, but 38 other models are also affected, at least at the theoretical level.

TS-8-PRO                     – v1.3.3 (SW)
(Rocket) M5                  – v5.6.9/v6.0 (XM)
(PicoStationM2HP) PICOM2HP   – v5.6.9/v6.0 (XM)
(NanoStationM5) NSM5         – v5.6.9/v6.0 (XM)

Possibly affected:
Ubiquiti Networks AF24 (Version: AF24 v3.2)
Ubiquiti Networks AF24HD (Version: AF24 v3.2)
Ubiquiti Networks AF-2X (Version: AF2X v3.2 )
Ubiquiti Networks AF-3X (Version: AF3X v3.2)
Ubiquiti Networks AF5 (Version: AF5 v3.2)
Ubiquiti Networks AF5U (Version: AF5 v3.2)
Ubiquiti Networks AF-5X (Version: AF5X v3.2.1)
Ubiquiti Networks AG-PRO-INS (Version: AirGWP v1.1.7)
Ubiquiti Networks airGateway (Version: AirGW v1.1.7)
Ubiquiti Networks airGateway-LR (Version: AirGW v1.1.7)
Ubiquiti Networks AMG-PRO (Version: AirGWP v1.1.7)
Ubiquiti Networks LBE-5AC-16-120 (Version: WA v7.2.4)
Ubiquiti Networks LBE-5AC-23 (Version: WA v7.2.4)
Ubiquiti Networks LBE-M5-23 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks NBE-5AC-16 (Version: WA v7.2.4)
Ubiquiti Networks NBE-5AC-19 (Version: XC v7.2.4)
Ubiquiti Networks NBE-M2-13 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks NBE-M5-16 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks NBE-M5-19 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-5AC-300 (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-300-ISO (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-400 (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-400-ISO (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-500 (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-500-ISO (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-620 (Version: XC v7.2.4)
Ubiquiti Networks PBE-M2-400 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-M5-300 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-M5-300-ISO (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-M5-400 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-M5-400-ISO (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-M5-620 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks R5AC-Lite (Version: XC v7.2.4)
Ubiquiti Networks R5AC-PRISM (Version: XC v7.2.4)
Ubiquiti Networks R5AC-PTMP (Version: XC v7.2.4)
Ubiquiti Networks R5AC-PTP (Version: XC v7.2.4)
Ubiquiti Networks RM2-Ti (Version: XW v5.6.9/v6.0)
Ubiquiti Networks RM5-Ti (Version: XW v5.6.9/v6.0)

SEC Consult recommends that owners of these devices remove them from their network configurations, as they could be endangering everyone else.

A video presentation of the discovered flaws is available in the YouTube video below. The full SEC Consult advisory is also available here.