An attacker can abuse an open redirect during the login procedure in many Ubiquiti Networks products. It is possible to lure a user to another (malicious) web-site.
“Ubiquiti Networks develops high-performance networking technology for service providers and enterprises. Our technology platforms focus on delivering highly advanced and easily deployable solutions that appeal to a global customer base in underserved and underpenetrated markets.”
SEC Consult recommends not to use the devices in production until a thorough security review has been performed by security professionals and all identified issues have been resolved.
1) Open Redirect in Login Page – HackerOne #158287
A open redirect vulnerability can be triggered by luring an attacked user to authenticate to a Ubiquiti AirOS device by clicking on a crafted link. This vulnerability was found earlier by another bug bounty participant on HackerOne. It was numbered with #158287.
Proof of concept
After a successful login, the user will be redirected to
Vulnerable / tested versions
Ubiquiti Networks AirRouter (v6.0.1)
Ubiquiti Networks TS-8-PRO (v1.3.4)
Based on information embedded in the firmware of other Ubiquiti products gathered from our IoT Inspector tool we believe the following devices are
affected as well:
Ubiquiti Networks LBE-M5-23 (Version: XW v6.0.1)
Ubiquiti Networks NBE-M2-13 (Version: XW v6.0.1)
Ubiquiti Networks NBE-M5-16 (Version: XW v6.0.1)
Ubiquiti Networks NBE-M5-19 (Version: XW v6.0.1)
Ubiquiti Networks PBE-M2-400 (Version: XW v6.0.1)
Ubiquiti Networks PBE-M5-300 (Version: XW v6.0.1)
Ubiquiti Networks PBE-M5-300-ISO (Version: XW v6.0.1)
Ubiquiti Networks PBE-M5-400 (Version: XW v6.0.1)
Ubiquiti Networks PBE-M5-400-ISO (Version: XW v6.0.1)
Ubiquiti Networks PBE-M5-620 (Version: XW v6.0.1)
Ubiquiti Networks RM2-Ti (Version: XW v6.0.1)
Ubiquiti Networks RM5-Ti (Version: XW v6.0.1)
Vendor contact timeline
2017-03-22: Contacting vendor via HackerOne.
2017-03-22: Vendor marked open redirect as duplicate to: #158287 The contact also states that this issue will be resolved in the next release.
2017-05-05: Found updates (6.0.3 and 1.3.5) on the website of the vendor and confirmed the fix – provide at least 90 days for customers to apply the patch.
2017-05-15: Contacted vendor via e-mail and set the publication date to 2017-07-24.
2017-07-24: Public release of security advisory
Upgrade to firmware version 6.0.3 (XM), 1.3.5 (SW) or later.
EOF T.Weber / @2017
- TitleSEC Consult Vulnerability Lab Security Advisory < 20170724-1 > Open Redirect in Login Page
- ProductMultiple Ubiquiti Networks products, e.g. TS-16-CARRIER, TS-5-POE, TS-8-PRO, AG-HP-2G16, AG-HP-2G20, AG-HP-5G23, AG-HP-5G27, AirGrid M, AirGrid M2, AirGrid M5, AR, AR-HP, BM2HP, BM2-Ti, BM5HP, BM5-Ti, LiteStation M5, locoM2, locoM5, locoM9, M2, M3, M365, M5, M900, NB-2G18, NB-5G22, NB-5G25, NBM3, NBM365, NBM9, NSM2, NSM3, NSM365, NSM5, PBM10, PBM3, PBM365, PBM5, PICOM2HP,Power AP N
- Vulnerable versionAirOS 6.0.1 (XM), 1.3.4 (SW)
- Fixed versionAirOS 6.0.3 (XM), 1.3.5 (SW)
- CVE number--
- ByT. Weber (Office Vienna) / SEC Consult Vulnerability Lab