Full Report
Ubiquiti security advisory (AV26-498)
Analysis Summary
# Vulnerability: Ubiquiti UniFi OS Multiple Vulnerabilities (Advisory AV26-498)
## CVE Details
*Note: While the advisory AV26-498 references critical updates, the primary identifier for these findings is Ubiquiti Security Advisory Bulletin 064.*
- **CVE ID:** CVE-2024-34537 (and associated vulnerabilities addressed in Bulletin 064)
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-78 (Improper Neutralization of Special Elements used in an OS Command - 'OS Command Injection')
## Affected Systems
- **Products:** Express, UCG-Industrial, UDM (Pro, SE, Pro-Max), EFG, UDW, UDR, UDR7, UNVR (Pro, Instant), ENVR, UCG-Ultra, UCG-Max, UCG-Fiber, UDM-Beast, UNAS (2, 4, Pro, Pro-4, Pro-8), UDR-5G, ENVR-Core, UCKP, UCK, UCK-Enterprise, UNVR-G2/Pro, and UniFi OS Server.
- **Versions:**
- Express: v4.0.13 and prior
- UCG-Industrial: v5.0.13 and prior
- UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, EFG, UDW, UDR, UDR7, Express 7, UNVR, UNVR-Pro, UNVR-Instant, ENVR, UCG-Ultra, UCG-Max, UCG-Fiber: v5.0.16 and prior
- UDM-Beast, UNAS-2, UNAS-4, UNAS-Pro, UNAS-Pro-4, UNAS-Pro-8: v5.1.8 and prior
- UDR-5G, ENVR-Core, UCKP, UCK, UCK-Enterprise: v5.0.17 and prior
- UNVR-G2, UNVR-G2-Pro: v5.1.11 and prior
- UniFi OS Server: v5.0.6 and prior
- **Configurations:** Systems running affected UniFi OS versions with remote access or local network exposure.
## Vulnerability Description
The vulnerability comprises a Command Injection flaw within the UniFi OS management interface. An attacker can supply specially crafted input via the web interface or API which is then executed by the underlying operating system with elevated privileges. This typically occurs due to insufficient sanitization of user-provided parameters used in system calls.
## Exploitation
- **Status:** PoC concepts exist; limited reports of targeted scanning (Monitor vendor channels for active "in the wild" exploitation updates).
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Full access to system files and configurations)
- **Integrity:** High (Ability to modify firmware, settings, and user accounts)
- **Availability:** High (Ability to brick the device or disrupt network services)
## Remediation
### Patches
Ubiquiti recommends updating to the following versions or newer:
- **Express:** v4.0.14+
- **UCG-Industrial:** v5.0.14+
- **UDM/UNVR/UCG Families:** v5.0.17+
- **UNAS/UDM-Beast:** v5.1.9+
- **UCK Families:** v5.0.18+
- **UNVR-G2 Families:** v5.1.12+
- **UniFi OS Server:** v5.0.7+
### Workarounds
- **Restrict Access:** Disable Remote Access (Cloud Access) in UniFi OS settings if not strictly required.
- **Firewalling:** Ensure the management interface is not exposed to the public internet. Restrict local access to trusted management VLANs only.
## Detection
- **Indicators of Compromise:** Unusual administrative logins from unknown IP addresses; unauthorized "root" or "admin" level cron jobs; unexpected outbound traffic from the UniFi Console to unknown external IPs.
- **Detection methods and tools:** Audit UniFi OS system logs for shell command execution patterns or unexpected reboots. Use vulnerability scanners to check UniFi Console versioning.
## References
- Ubiquiti Security Advisory Bulletin 064: hxxps[://]community[.]ui[.]com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b
- Ubiquiti Releases Page: hxxps[://]community[.]ui[.]com/releases
- Canadian Centre for Cyber Security Advisory: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/ubiquiti-security-advisory-av26-498