A critical command-injection vulnerability has been found in the administration interface of over 40 products manufactured by the American technology firm, Ubiquity Networks.
The information was made public by researchers at SEC Consult after they informed the dealer about the glitch via the HackerOne bounty program. The issue was marked as a duplicate by Ubiquiti in the early phase along with a reassurance of a patch in a future improved release.
In an official statement, a Ubiquiti Networks representative told the press that network security was a top priority and that the firm was in the process of fixing the vulnerability for all products affected.
Of the 44 affected products, Ubiquiti has patched 37 products as of 3rd February 2017, with an update for airMAX 11ac and patches for remaining products being imminent.
The customers would be informed via newsletters to update their firmware post the release of the update. The new update would also have an improved vetting process for security issue reports to help in a quick response time.
An earlier information by a Ubiquiti employee regarding the vulnerability mentioned a communication breakdown between the company’s internal ticket on the issue and the initial submission to HackerOne.
It has been found that the reason behind the vulnerability is the usage of a 20-year-old PHP script in the interface. The vulnerability resides in the pingtest_action.cgi script, which is using PHP/FI 2.0.1 which was built in 1997.
As per SEC Consult, it is possible to conduct the whole attack via a single GET-request and is a relatively simple task due to no CSRF protection.
The vulnerability exposes the Ubiquity admin interface to a high number of plausible attacks. The attacker would be able to take over the entire network by exploiting the vulnerability if the Ubiquiti device were to act as a router or as firewall.