Reply
Ubiquiti Employee
Posts: 421
Registered: ‎09-29-2007
Kudos: 1162
Solutions: 13

Re: Unpatched hole in AirOS

[ Edited ]

Hi All -- Here is a more expanded update:

 

1. UniFi is not affected.  This issue is limited to AirOS and assocaited products (toughswitch,airgateway,etc)

 

2. The issue has been addressed as follows:

AirOS v8.0.1 — already available since Feb 2, 2017

AirOS v6.0.1 —  released today

AirGateway v1.1.8 - Service release —released today

TOUGHSwitch v.1.3.4 - Service — released today

 

3. While we acknolwedge all vulnerabilties are serious, we believe this issue rates fairly low in terms of threat severity compared to past patched vulnerabilities

 

4. Ubiquiti has a dedicated Security Director 100% focused strictly on Ubiquiti software vulnerabilities @UBNT-rubens along with a very strong supporting group of engineers.  In addition, we participate in 3rd party vulnerabilty assessment programs such as Hackerone.com where we have given out significant rewards to date

 

5. The php2  code concern we are already addressing and it will be easily eliminated from applicable code bases within the next few weeks

 

This is an unfortunate single instance that is definitely not representative of how we approach security in our software development culture.

 

 

 

New Member
Posts: 36
Registered: ‎06-22-2016
Kudos: 6

Re: Unpatched hole in AirOS

Great,

 

Can you confirm whether mFi is or is not affected

 

Thanks

SuperUser
Posts: 9,550
Registered: ‎01-10-2012
Kudos: 6139
Solutions: 387

Re: Unpatched hole in AirOS


@waterside wrote:

 

In the end simply because someone posts something that claims "the sky is turning orange and is falling" doesn't make it so.  This is why risk assessment standards have been created and adopted.  When such standards are not used in discussing a security issue some additional thought should be given (read some additional doubt) to the source of the claims as well as to the actual claims themselves.


 This is so relevant it bears repeating.


All actions have a cost.  

 

As far as "always" patching old code, there are pleanty of examples of where new patches introduced worse problems.  

 

Being able to accurately asses risk is really key here.  

When you receive a solution to your question/issue, don't forget to mark your thread as solved and to give kudo's to the people who have helped you out!

Having wifi problems? Take a look here first: https://help.ubnt.com/hc/en-us/articles/221029967-UniFi-Debugging-Intermittent-Connectivity-Issues-on-your-UAP
Emerging Member
Posts: 83
Registered: ‎06-25-2010
Kudos: 6
Solutions: 1

Re: Unpatched hole in AirOS

and what V8.1.2-BETA2 ?
Ubiquiti Employee
Posts: 12,072
Registered: ‎11-27-2012
Kudos: 3851
Solutions: 792
Contributions: 73

Re: Unpatched hole in AirOS


@noe wrote:
and what V8.1.2-BETA2 ?

8.1.x is not affected @noe.

UBNT_Alternate_Logo.png
Ubiquiti Networks airMAX Support Team

Check out our ever-evolving Help Center for answers to many common questions!

FREE UBWA Student Guide-Great RF Primer!

New Member
Posts: 12
Registered: ‎11-27-2013
Kudos: 1
Solutions: 2

Re: Unpatched hole in AirOS

Robert, since upgrading my UBNT links does involve downtime (and they're all running XM.v5.6.5), can you address if this exploit is even relevant to WDS Transparent Bridge links just acting as pipes between other (non-Ubiquiti) routers?
Member
Posts: 135
Registered: ‎06-08-2015
Kudos: 30
Solutions: 3

Re: Unpatched hole in AirOS

To those people absolutely losing their minds, setting their hair on fire....... you do realize that the ~largest~ companies in IT / Networking have security issues that crop up all the time, don't you?

Sure it's valid to be concerned, but if you can't fully understand the entire scope of the vulnerability, perhaps you should ask some questions and digest it all before spewing all over everyone in sight.

Yeah, it's a PR slap to the pee-pee; I read about it on Twitter and LinkedIn. Not a great way to start the day. But hey - hardly the end of the world.

Today's dilemma: How long after walking into someone's house is it acceptable to ask for their WiFi password?
Ubiquiti Employee
Posts: 12,072
Registered: ‎11-27-2012
Kudos: 3851
Solutions: 792
Contributions: 73

Re: Unpatched hole in AirOS

[ Edited ]

@dshea wrote:
Robert, since upgrading my UBNT links does involve downtime (and they're all running XM.v5.6.5), can you address if this exploit is even relevant to WDS Transparent Bridge links just acting as pipes between other (non-Ubiquiti) routers?

It could be possible if you were already logged into a radio and clicked on a specially crafted link.  (Similar to a phishing link.)  If an attacker was successful in getting you to click on a malicious link.

 

We are also planning a 5.6.x service release.

UBNT_Alternate_Logo.png
Ubiquiti Networks airMAX Support Team

Check out our ever-evolving Help Center for answers to many common questions!

FREE UBWA Student Guide-Great RF Primer!

New Member
Posts: 2
Registered: ‎01-31-2017
Kudos: 3

Re: Unpatched hole in AirOS


@joshchaney wrote:

All the attacker needs is for you to visit a webpage and you are owned. You may think "Oh, well I will just not fall for a phishing attempt".. what happens when the attacker puts CSRF code on an ad network somewhere. Or maybe you are running an email client that will load remote images automatically. There's lots of ways to abuse this that do not require the "moon to be aligned".

It's also pretty easy to align the moon, if your target is a WISP, a user of a WISP, or a company with AirMax equipment deployed. How many tech support employees have a workflow that looks like:

 

1.They are assigned a support request ticket, which may include HTML, images or links to arbitrary pages

2, They fire up a browser session to look at the management interface of the equipment that's supposedly causing trouble.

 

Whoops! 

 

Variants of this include posts in online forums about problems with the management interface, or ads targeted to the victim company in question - perhaps a Facebook ad only shown to people with an email address at the target company, or even specific users. 

 

Phishing is a lot easier when it's someone's *job* to open emails and investigate things. If the CEO doesn't open every email they get, good job. If the tech support people don't open every ticket/email *they* get, they're likely to get fired.  

 

 

 

Member
Posts: 283
Registered: ‎03-10-2011
Kudos: 42
Solutions: 1

Re: Unpatched hole in AirOS

@UBNT-Robert

 

That's nice - but I've asked for years [yes YEARS] for you guys to get real on security.

Why the hell can't you setup a list-serv and have an announce list where you announce security updates? You know, like every other company who takes security seriously.

<snark> Doing better then DLink shouldn't be the target. </snark>

 

If you did that, then I don't have to have some POS RSS feed that might or might not work to alert me to new releases that contain security patches etc.

 

The fact that UBNT doesn't even have that indicates that security isn't much of a priority for UBNT, IMO.

Member
Posts: 141
Registered: ‎09-02-2011
Kudos: 27

Re: Unpatched hole in AirOS

any chance this patch fixes the constant unexpected reboots still present in 6.0. Id rather see that than fixing some phishing bug.

maybe a firmware that isnt causing high unit failure rates too, that would be nice, but i suspect one of the interim exploit patches in 5.x did the damage

Ubiquiti Employee
Posts: 12,072
Registered: ‎11-27-2012
Kudos: 3851
Solutions: 792
Contributions: 73

Re: Unpatched hole in AirOS


@gsloop wrote:

@UBNT-Robert

 

That's nice - but I've asked for years [yes YEARS] for you guys to get real on security.

Why the hell can't you setup a list-serv and have an announce list where you announce security updates? You know, like every other company who takes security seriously.

<snark> Doing better then DLink shouldn't be the target. </snark>

 

If you did that, then I don't have to have some POS RSS feed that might or might not work to alert me to new releases that contain security patches etc.

 

The fact that UBNT doesn't even have that indicates that security isn't much of a priority for UBNT, IMO.


We will look into better ways to notify users in the future.  Noted.

 

 

UBNT_Alternate_Logo.png
Ubiquiti Networks airMAX Support Team

Check out our ever-evolving Help Center for answers to many common questions!

FREE UBWA Student Guide-Great RF Primer!

Ubiquiti Employee
Posts: 12,072
Registered: ‎11-27-2012
Kudos: 3851
Solutions: 792
Contributions: 73

Re: Unpatched hole in AirOS


@thatoneguysteve wrote:

any chance this patch fixes the constant unexpected reboots still present in 6.0. Id rather see that than fixing some phishing bug.

maybe a firmware that isnt causing high unit failure rates too, that would be nice, but i suspect one of the interim exploit patches in 5.x did the damage


 

Yes, this should address reboots seen on 6.0.  Please let me know if you have any issues (james@ubnt.com) 

 

- Fix: Stability fixes (random AP/Station reboots)

 

UBNT_Alternate_Logo.png
Ubiquiti Networks airMAX Support Team

Check out our ever-evolving Help Center for answers to many common questions!

FREE UBWA Student Guide-Great RF Primer!

Previous Employee
Posts: 7,521
Registered: ‎03-17-2015
Kudos: 4838
Solutions: 197

Re: Unpatched hole in AirOS


@wtm wrote:

@UBNT-Brandon

 

Can we get a patched version for version 5 and 7 ?

 

Many of us do not want to use the 6 and 8 versions at this point, and the 5.6.9 and 7.2.4 have been working good for us!


Yes, patches of these will be next week. 

Want to try out new features or fixes before they're released as Stable? Sign up for Beta here: https://help.ubnt.com/hc/en-us/articles/204908664-How-To-Signup-for-Beta-Access
New Member
Posts: 8
Registered: ‎06-17-2012
Kudos: 2

Re: Unpatched hole in AirOS

Interesting how this information is reported (fomented) on the morning of Stock Options Expiration.
Established Member
Posts: 1,842
Registered: ‎10-05-2014
Kudos: 317
Solutions: 48

Re: Unpatched hole in AirOS


@HylerC wrote:

I need a little help understanding the scope of this.  


 Little is little too little , you will need more ...

 


@HylerC wrote:

So let's say that I have two NanoBeam ACs connecting two buildings, but do not have a UBNT gateway or router, would this vulnerability still be exploitable in this situation?


 .... the bridge can(not always) be vurnelable. 


@HylerC wrote:
I assume that it if would still be but the access would be limited to only the two Nanobeams and not the entire network?

 


 .... hmmm, let's presume for a moment that somehow/someone can take controll of a device behind your line of defence(whatever it is) what will happen?

 


@HylerC wrote:

I guess the real question here is, does this vulnerability effect customers who are not using a UBNT gateway/router?


 Yes, no or maybe ... from here all depends on the "customer's"  line of deffence. Behind a router and/or firewall is not bullet proof. 


@HylerC wrote:

Sorry if this is a stupid question, I live in the SysAdmin side of things so it take a little longer to understand the InfoSec issues.


 No "stupid" , just justified question. From here we have to work hard not to give up ... on whatever ..... too long to explain.

 

Regards,

Do not expect me to reply to this post, I'm not sure that I will be able to find it, thank's to ....

Established Member
Posts: 1,842
Registered: ‎10-05-2014
Kudos: 317
Solutions: 48

Re: Unpatched hole in AirOS


@UBNT-James wrote:

@noe wrote:
and what V8.1.2-BETA2 ?

8.1.x is not affected @noe.


@UBNT-James will you bet your job on your statement?

 

Just asking , some user here will be happy if you can provide a positive answer.

 

Regards,

 

 

Paging: @UBNT-Robert

Do not expect me to reply to this post, I'm not sure that I will be able to find it, thank's to ....

Established Member
Posts: 1,103
Registered: ‎08-29-2016
Kudos: 503
Solutions: 50

Re: Unpatched hole in AirOS

[ Edited ]

@UBNT-James wrote:

@gsloop wrote:

@UBNT-Robert

 

That's nice - but I've asked for years [yes YEARS] for you guys to get real on security.

Why the hell can't you setup a list-serv and have an announce list where you announce security updates? You know, like every other company who takes security seriously.

<snark> Doing better then DLink shouldn't be the target. </snark>

 

If you did that, then I don't have to have some POS RSS feed that might or might not work to alert me to new releases that contain security patches etc.

 

The fact that UBNT doesn't even have that indicates that security isn't much of a priority for UBNT, IMO.


We will look into better ways to notify users in the future.  Noted.

 

 


That better way certainly is NOT this. So, you tell us that UniFi is not affected, and a day later you release a new Cloud Key firmware with a muddy "description" stating:


 

 

UCK System

  • Security Improvements.

 

Look, I actually trust you when you say it's not affected by this particular issue, but similar "changelogs" are utterly useless in the first place, and secondly are the exact reason why you are being accused of not taking security seriously.

Established Member
Posts: 1,103
Registered: ‎08-29-2016
Kudos: 503
Solutions: 50

Re: Unpatched hole in AirOS


@UBNT-James wrote:

@gsloop wrote:

@UBNT-Robert

 

That's nice - but I've asked for years [yes YEARS] for you guys to get real on security.

Why the hell can't you setup a list-serv and have an announce list where you announce security updates? You know, like every other company who takes security seriously.

 

The fact that UBNT doesn't even have that indicates that security isn't much of a priority for UBNT, IMO.


We will look into better ways to notify users in the future.  Noted.

 

 


That better way certainly is NOT this. So, you tell us that UniFi is not affected, and a day later you release a new Cloud Key firmware with a muddy "description" stating:


 

 

UCK System

  • Security Improvements.

 

Look, I actually trust you when you say it's not affected by this particular issue, but similar "changelogs" are utterly useless in the first place, and secondly are the exact reason why you are being accused of not taking security seriously.

New Member
Posts: 35
Registered: ‎05-19-2016
Kudos: 6

Re: Unpatched hole in AirOS

@UBNT-Robert:

 

Since there doesn't seem to be a dedicated forum for security-related topics affecting UBNT devices and there are multiple threads on this subject, I'm moving my replies and comments to here from this thread.

 

It appears as though I am not alone in having serious concerns regarding the handling of this set of vulnerabilities.  However, my concerns are somewhat amplified by the fact that this situation bears some striking similarities to a recent problem involving firmware for the UAC-APs being released that severely crippled those devices.

 

To summarise that particular episode (and this is very much a brief overview from memory, so I'm sacrificing detail for brevity): when the firwmare was applied to the affected devices, they were at best hobbled in terms of interoperability with client devices, and at worst unable to establish any connectivity with client devices.  The culprit turned out to be a breakdown in the QA process that allowed effectively-untested firmware out the door.  It took weeks to get any sort of resolution on the issue, and in the meantime I (and others) had clients and customers being impacted by this.

 

Much as with that incident, where I see the similarities with this particular set of vulnerabilities lies in two areas: software that never should have been allowed out the door was permitted to ship, and Ubiquiti's response time after discovery was decidedly sub-par.

 

Quite frankly, I don't understand how anyone on the development side could have looked at this firmware and thought that using a 20-year-old version of PHP coupled with a web server running as root was in any way a sane thing to be doing.  We know better, and we've known better for literally decades.  Assuming that there are internal checks and balances at Ubiquiti to catch this sort of thing prior to release, it's equally-baffling as to how it was ever allowed to go out in the first place, never mind for as long as it did.

 

Regarding response time: without completely rehashing the timeline of events in the SEC advisory, 90 days from date of disclosure is pretty much the industry standard for delivering a public fix for vulnerabilities.  In this case, seven weeks of that 90-day window was spent with Ubiquiti inexcusably having zero contact with SEC, who ultimately went public with their advisory (largely, I suspect, because they felt they had no choice).  Again, this is not dissimilar to the pattern of non-responsiveness historically seen with other issues affecting Ubiquiti hardware.

 

Finally, Ubiquiti's communication to its customers regarding security issues is severely lacking.  I found out about this particular one courtesy of my usual checks of security-related RSS feeds - except that instead of it appearing in any of the Ubiquiti feeds that I'm subscribed to, it came up via the same article on The Register that everyone else picked it up from.  And if there's one thing that doesn't exactly give me the warm fuzzies, it's learning that there's a significant set of security vulnerabilities in devices that my clients have purchased on my recommendation, but hearing about those vulnerabilities from a third-party.

 

Arguably even more not fun is spending the next 24 hours talking to the clients who have those devices deployed and informing them of the vulnerability while also having to be completely honest with them that there is no fix available and the vendor hasn't responded with a fix despite having been aware of the issue for three months.  That makes me look bad for recommending and deploying Ubiquiti products on their behalf, and it makes Ubiquiti look bad for allowing this situation to arise in the first place.

 

On the plus side (for Ubiquiti, anyway), they don't have to take the brunt of my clients' ire; I get to do that on their behalf.  So at least that's not a distraction for them.

 

Ubiquiti badly needs to not just state that it takes security seriously, but also back those statements up with actions that bolster those statements.  Non-responsiveness until being publically embarrassed by security researchers is not a good way for anyone involved to have to handle these sorts of things.

 

In that vein, I would like to make a suggestion. @UBNT-Robert, you mentioned that improving communication with customers and researchers was something that you were looking into.  A dedicated security blog (with RSS feed, so that I can add another to the 120 or so that I check on a daily basis) would be helpful, and it appears as though Ubiquiti already has the infrastructure in place to support such a blog and feed.  And yes, as others have mentioned: release notes need to detail what the content of security fixes consist of, not just acknowledging that they were part of the release.  CVE numbers in those notes would also help.

Reply