Open Redirect Issue In Multiple Ubiquiti Networks Products

Title

SEC Consult Vulnerability Lab Security Advisory < 20170724-1 > Open Redirect in Login Page

Product

Multiple Ubiquiti Networks products, e.g. TS-16-CARRIER, TS-5-POE, TS-8-PRO, AG-HP-2G16, AG-HP-2G20, AG-HP-5G23, AG-HP-5G27, AirGrid M, AirGrid M2, AirGrid M5, AR, AR-HP, BM2HP, BM2-Ti, BM5HP, BM5-Ti, LiteStation M5, locoM2, locoM5, locoM9, M2, M3, M365,

Vulnerable Version

AirOS 6.0.1 (XM), 1.3.4 (SW)

Fixed Version

AirOS 6.0.3 (XM), 1.3.5 (SW)

CVE Number

-

Impact

low

Found

22.03.2017

By

T. Weber (Office Vienna) / SEC Consult Vulnerability Lab

An attacker can abuse an open redirect during the login procedure in many Ubiquiti Networks products. It is possible to lure a user to another (malicious) web-site.

Vendor Description

“Ubiquiti Networks develops high-performance networking technology for service providers and enterprises. Our technology platforms focus on delivering highly advanced and easily deployable solutions that appeal to a global customer base in underserved and underpenetrated markets.”

Source: http://ir.ubnt.com/

 

Business Recommendation

SEC Consult recommends not to use the devices in production until a thorough security review has been performed by security professionals and all identified issues have been resolved.

 

Vulnerability Overview/ Description

1) Open Redirect in Login Page – HackerOne #158287

A open redirect vulnerability can be triggered by luring an attacked user to authenticate to a Ubiquiti AirOS device by clicking on a crafted link. This vulnerability was found earlier by another bug bounty participant on HackerOne. It was numbered with #158287.

 

Proof Of Concept

http:// <IP-of-Device>/login.cgi?uri=https://www.sec-consult.com

After a successful login, the user will be redirected to

www.sec-consult.com.

 

Vulnerable / Tested Versions

Ubiquiti Networks AirRouter (v6.0.1)
Ubiquiti Networks TS-8-PRO (v1.3.4)

Based on information embedded in the firmware of other Ubiquiti products gathered from our IoT Inspector tool we believe the following devices are
affected as well:

Ubiquiti Networks LBE-M5-23 (Version: XW v6.0.1)
Ubiquiti Networks NBE-M2-13 (Version: XW v6.0.1)
Ubiquiti Networks NBE-M5-16 (Version: XW v6.0.1)
Ubiquiti Networks NBE-M5-19 (Version: XW v6.0.1)
Ubiquiti Networks PBE-M2-400 (Version: XW v6.0.1)
Ubiquiti Networks PBE-M5-300 (Version: XW v6.0.1)
Ubiquiti Networks PBE-M5-300-ISO (Version: XW v6.0.1)
Ubiquiti Networks PBE-M5-400 (Version: XW v6.0.1)
Ubiquiti Networks PBE-M5-400-ISO (Version: XW v6.0.1)
Ubiquiti Networks PBE-M5-620 (Version: XW v6.0.1)
Ubiquiti Networks RM2-Ti (Version: XW v6.0.1)
Ubiquiti Networks RM5-Ti (Version: XW v6.0.1)