Ubiquiti M5 Rocket

UPDATE: Ubiquiti Networks has started rolling out firmware updates for some of the affected devices. Full statement at the end of the article. Original article below.

Some Ubiquiti network device models can be hacked thanks to an unpatched vulnerability, allowing attackers to gain control over the device, or use it as a pivot point in the victim's network to hack other nearby equipment.

Discovered by security researchers from SEC Consult, the flaw is currently unpatched after communications between SEC Consult and Ubiquiti broke down in early January.

The researchers said they discovered the flaw last fall and informed Ubiquiti engineers in November, but they hadn't heard back since January when they inquired about the bug's patch status.

Flaw is hard to exploit, but not impossible

According to SEC Consult experts, the firmware of various Ubiquiti Networks devices contains a command injection vulnerability that allows attackers to alter the device's internal code.

There is good and bad news. The good news is that the flaw can be exploited only by a logged in user only. The bad news is that there's a secondary flaw in the firmware which allows for CSRF attacks. CSRF vulnerabilities allow attackers to fake user actions.

According to SEC Consult researchers, attackers only have to trick a Ubiquiti device owner into accessing a malicious website. Malicious code on this website accesses the Ubiquiti device admin panel on his behalf and performs the attack behind the user's back.

Ubiquiti devices use 20-year-old PHP version

The vulnerability is possible because of bad firmware coding, but also because Ubiquiti used an ancient PHP version to power the device's built-in server. The PHP version is 2.0.1, released way back in 1997, 20 years ago, and lacking many security protections included in modern PHP versions.

SEC Consult experts say they've tested their attack on four Ubiquiti devices, but 38 other models are also affected, at least at the theoretical level.

Tested:
TS-8-PRO                     - v1.3.3 (SW)
(Rocket) M5                  - v5.6.9/v6.0 (XM)
(PicoStationM2HP) PICOM2HP   - v5.6.9/v6.0 (XM)
(NanoStationM5) NSM5         - v5.6.9/v6.0 (XM)

Possibly affected:
Ubiquiti Networks AF24 (Version: AF24 v3.2)
Ubiquiti Networks AF24HD (Version: AF24 v3.2)
Ubiquiti Networks AF-2X (Version: AF2X v3.2 )
Ubiquiti Networks AF-3X (Version: AF3X v3.2)
Ubiquiti Networks AF5 (Version: AF5 v3.2)
Ubiquiti Networks AF5U (Version: AF5 v3.2)
Ubiquiti Networks AF-5X (Version: AF5X v3.2.1)
Ubiquiti Networks AG-PRO-INS (Version: AirGWP v1.1.7)
Ubiquiti Networks airGateway (Version: AirGW v1.1.7)
Ubiquiti Networks airGateway-LR (Version: AirGW v1.1.7)
Ubiquiti Networks AMG-PRO (Version: AirGWP v1.1.7)
Ubiquiti Networks LBE-5AC-16-120 (Version: WA v7.2.4)
Ubiquiti Networks LBE-5AC-23 (Version: WA v7.2.4)
Ubiquiti Networks LBE-M5-23 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks NBE-5AC-16 (Version: WA v7.2.4)
Ubiquiti Networks NBE-5AC-19 (Version: XC v7.2.4)
Ubiquiti Networks NBE-M2-13 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks NBE-M5-16 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks NBE-M5-19 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-5AC-300 (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-300-ISO (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-400 (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-400-ISO (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-500 (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-500-ISO (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-620 (Version: XC v7.2.4)
Ubiquiti Networks PBE-M2-400 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-M5-300 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-M5-300-ISO (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-M5-400 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-M5-400-ISO (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-M5-620 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks R5AC-Lite (Version: XC v7.2.4)
Ubiquiti Networks R5AC-PRISM (Version: XC v7.2.4)
Ubiquiti Networks R5AC-PTMP (Version: XC v7.2.4)
Ubiquiti Networks R5AC-PTP (Version: XC v7.2.4)
Ubiquiti Networks RM2-Ti (Version: XW v5.6.9/v6.0)
Ubiquiti Networks RM5-Ti (Version: XW v5.6.9/v6.0)

SEC Consult recommends that owners of these devices remove them from their network configurations, as they could be endangering everyone else.

A video presentation of the discovered flaws is available in the YouTube video below. The full SEC Consult advisory is also available here.

UPDATE [March 17, 2017]: Ubiquiti Networks has provided the following statement regarding today's disclosure, clarifying that some products received firmware updates as early as February.

We take network security very seriously and are in the process of fixing this vulnerability for all products affected. We have already released updates that resolve the issue for 37 out of the 44 products mentioned by SEC Consult (the first update for airMAX 11ac products was released on February 3, 2017) and we are very close to releasing another update for the remaining 7 products mentioned in the report. Once this update is released, we will inform our customers through a newsletter to remind them to update their firmware. We are also improving our vetting process for security issue reports to speed up our response time.