Patch/Configuration Management, Vulnerability Management

20-year-old flaw found in Ubiquiti networking gear running ancient PHP

Security researchers have discovered an unpatched vulnerability in some networking equipment from Ubiquiti that could allow hackers to gain control of the devices, or use them as an entry point to attack other nearby devices.

The flaw was found by SEC Consult, and worryingly, is still unpatched as talks between the security firm and Ubiquiti broke down in January.

In a security advisory, SEC Consult said that the vulnerability enables an attacker to inject arbitrary commands into the web-based administration interface of affected devices. The command injection vulnerability was found in "pingtest_action.cgi". This script is vulnerable since it is possible to inject a value of a variable, according to the security firm. It added that one reasons for this was the use of PHP 2.0.1, which is 20 years old and lacks security features found in later versions.

The vulnerability can be exploited by luring a user to click on a crafted link or just surf on a malicious website. “The whole attack can be performed via a single GET-request and is very simple since there is no CSRF protection,” said the researchers.

“An attacker can open a port binding or reverse shell to connect to the device and is also able to change the ‘passwd' since the web service runs with root privileges,” said the advisory. “Furthermore, low privileged read-only users, which can be created in the web interface, are also able to perform this attack.”

The advisory added that if the Ubiquiti device acts as router or even as firewall, the attacker can take over the whole network by exploiting this vulnerability.

The security researchers said they had tested the exploit on four Ubiquiti devices, but 38 other models could also be affected. SEC Consult advises organisations not to use these products in a production environment “until a thorough security review has been performed by security professionals and all identified issues have been resolved”.

Elliott Thompson, security consultant at SureCloud, told SC Media UK that for administrators of these devices, extreme care should be taken with active sessions.

“Using a separate browser profile to administer the devices and logging out immediately after use would be strongly recommended. For customers, whose data travels across these links, a VPN should be used to prevent traffic from being maliciously manipulated, this is best practice anyway even without this specific vulnerability,” he said.

He added that it is critically important that vendors ensure software is using current and supported software versions including PHP. “There is a litany of vulnerabilities that have been patched between PHP 2.0.1 and the current version, some of which could be more serious than the CSRF vulnerability if successfully exploited,” he added.

Edouard Viot, endpoint security product marketing manager at Stormshield, told SC that the problem is that no patch exists for this vulnerability, and Ubiquiti has so far given no release date for a patch.

“I doubt that anything will move quickly on this, since Ubiquiti have been aware of the vulnerability for several months,” he said.

“The best approach for organisations is to change the equipment quickly, because there is a strong likelihood that we will discover another vulnerability in other equipment that uses PHP 2.0.1. Our advice would be to take a measured approach, and find a way to limit who can send information to the administration module of Ubiquiti devices.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.