A critical vulnerability in many of Ubiquiti Networks’ networking devices can be exploited by attackers to take over control of the device and, if that device acts as a router or firewall, to take over the whole network.
The command injection flaw was found in the “pingtest_action.cgi” script and, according to SEC Consult’s Thomas Weber (the researcher who unearthed it in November 2016), one of the reason behind the vulnerability is that the firmware uses a PHP version that dates back to 1997.
“The vulnerability can be exploited by luring an attacked user to click on a crafted link or just surf on a malicious website. The whole attack can be performed via a single GET-request and is very simple since there is no CSRF protection,” he explained in an advisory.
“An attacker can open a port binding or reverse shell to connect to the device and is also able to change the ‘passwd’ since the web service runs with root privileges! Furthermore, low privileged read-only users, which can be created in the web interface, are also able to perform this attack.”
Despite the fact that the researcher responsibly disclosed the flaw to Ubiquiti Networks immediately after finding it, the company has still not plugged the hole.
Initially, they believed it to be a duplicate of an issue they were already addressing, then they couldn’t reproduce the attack with the provided PoC exploit. SEC Consult was very understanding, and postponed publishing details about the flaw, but now they have released a security advisory and a video demo of the attack:
Still, they refrained from publishing the two PoC exploits they devised until Ubiquiti Networks patches the vulnerable firmware.
The researchers found the vulnerability on four different devices: the TS-8-PRO switch, the Rocket M5 base station, the PICOM2HP radio, and the NSM5 device.
They all ran firmware versions 1.3.3 or 5.6.9/6.0. But, they note, based on information embedded in the firmware of other Ubiquiti products, they believe some 38 other devices are affected as well (the full list is available in the advisory).
SEC Consult advises users to restrict user and network access to the vulnerable devices until a fix is provided and, in general, “not to use this product in a production environment until a thorough security review has been performed by security professionals and all identified issues have been resolved.”