nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Ubiquiti firmware patch stomps nasty redirect bug from login screen

If you skipped the fix, fair enough - it landed before the vulnerability report

By Richard Chirgwin, 25 Jul 2017

Popular wireless networking hardware vendor Ubiquiti patched a couple of serious vulnerabilities back in March and April – without telling the people who reported the bugs.

If sysadmins weren't paying attention, they might not have noticed the importance of the patches.

The bug patched in firmware version 6.0.3 was an open redirect at the administrative login, found independently by SEC Consult and a bounty-hunter. Both filed the bug with HackerOne.

An exploit would be fairly straightforward, since all the attacker needed to do was append their own site as the login page's target:

http://<IP-of-Device>/login.cgi?uri=https://www.sec-consult.com

Affected products include AirRouter, the TS-8-PRO switch, and various transceivers in the LBE, NBE, PBE, and RM2-Ti access points.

The other bug affected the company's EdgeRouter products. An initialisation error in /files/index created a reflected cross-site-scripting vulnerability that would let an attacker hijack a user's session.

The SEC Consult advisory says the attacker could then take over the device's command line interface, to open router ports or launch a reverse shell. New firmware for the EdgeRouter is here. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing