AirOS Vulnerability Issue Update, 3/18/17
Hi All – Wanted to give an update here:
1. UniFi, EdgeMAX and AmpliFi are not affected. This issue is limited to AirOS and associated products (toughswitch,airgateway,etc)
2. The issue has been addressed as follows:
AirOS v8.0.1 — already available since Feb 3, 2017 (release notes here)
AirOS v6.0.1 — released today (release notes here)
AirGateway v1.1.8 - Service release —released today (release notes here)
TOUGHSwitch v.1.3.4 - Service — released today (release notes here)
airFiber v3.2.2 and v3.4.1 - released today (release notes here)
3. While we acknowledge all vulnerabilities are serious, we believe this issue rates fairly low in terms of threat severity compared to past patched vulnerabilities
4. Ubiquiti has a dedicated Security Director 100% focused strictly on Ubiquiti software vulnerabilities @UBNT-rubens along with a very strong supporting group of engineers.
In addition, we participate in 3rd party vulnerability assessment programs such as Hackerone.com where we have given out significant rewards to date.
Finally, we have significant investments in a retained 3rd party external security audit company who reviews our software solutions on a frequent basis.
5. The php2 code concern we are already addressing and it will be easily eliminated from applicable code bases within the next few weeks
This is an unfortunate single instance that is definitely not representative of how we approach security in our software development culture.