XSS & CSRF vulnerabilities in multiple Ubiquiti Networks products

SEC Consult Vulnerability Lab Security Advisory < 20170130-0 >


title: XSS & CSRF vulnerabilities

product: Multiple Ubiquiti Networks products, e.g.


AG-HP-2G20, AG-HP-5G23, AG-HP-5G27, AirGrid M,

AirGrid M2, AirGrid M5, AR, AR-HP, BM2HP, BM2-Ti,

BM5HP, BM5-Ti, LiteStation M5, locoM2, locoM5,

locoM9, M2, M3, M365, M5, M900, NB-2G18, NB-5G22,

NB-5G25, NBM3, NBM365, NBM9, NSM2, NSM3, NSM365,


Power AP N, PicoStation2, PicoStation2HP

vulnerable version: v1.3.3 (SW), v5.6.9/v6.0 (XM), v4.0.4 (XS2)

fixed version: -

CVE number: -

impact: Medium

homepage: www.ubnt.com

found: 2016-11-22

by: T. Weber (Office Vienna)

SEC Consult Vulnerability Lab


An integrated part of SEC Consult

Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow

Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich






Vendor description:


"Ubiquiti Networks develops high-performance networking

technology for service providers and enterprises. Our technology

platforms focus on delivering highly advanced and easily deployable

solutions that appeal to a global customer base in underserved and

underpenetrated markets."


Source: ir.ubnt.com



Business recommendation:


SEC Consult recommends to perform a thorough security review conducted by

security professionals to identify and resolve all security issues.



Vulnerability overview/description:


1) Reflected Cross Site Scripting (XSS)

This vulnerability is present on the following devices:

TS-16-CARRIER, TS-5-POE, TS-8-PRO - v1.3.3 (SW)

PicoStation2, PicoStation2HP - v4.0.4 (XS2) (End of Life)


Ubiquiti does not properly encode parameters which are reflected on the

login page of the devices. This leads to cross site scripting. An attacker

can abuse these vulnerabilities to steal cookies from the attacked user in

order to login remotely on the device.

An attacker is also able to perform actions in the context of the attacked user.


2) Cross Site Request Forgery (CSRF) - HackerOne #73289

Ubiquiti implemented CSRF protection tokens in POST requests which are sent

in context of the tabs "system" and "network" but they did not implement

tokens in GET requests or other POST requests. Therefore an attacker is

able to call "cgi" scripts by luring the attacked user to click on a crafted


This vulnerability was found earlier by another bug bounty participant

on HackerOne. It was numbered with #73289. The status of this bug is unknown.



Proof of concept:


The vendor considers this as low priority, hence there is no fix available and a

date for a patch has not been defined by the vendor.


The proof of concept has been removed from this advisory.



Vulnerable / tested versions:


The following devices and firmware versions have been tested:

TS-8-PRO - v1.3.3 (SW) - (CSRF, XSS)

PicoStation2, PicoStation2HP - v4.0.4 (XS2) - (CSRF, XSS) (End of Life)

(Rocket) M5 - v5.6.9/v6.0 (XM) - (CSRF)

(PicoStationM2HP) PICOM2HP - v5.6.9/v6.0 (XM) - (CSRF)

(NanoStationM5) NSM5 - v5.6.9/v6.0 (XM) - (CSRF)



Based on information embedded in the firmware of other Ubiquiti products

gathered from our IoT Inspector tool for automated firmware analysis

we believe the following devices are affected at least by CSRF as well:


Ubiquiti Networks AF24 (Version: AF24 v3.2)

Ubiquiti Networks AF24HD (Version: AF24 v3.2)

Ubiquiti Networks AF-2X (Version: AF2X v3.2 )

Ubiquiti Networks AF-3X (Version: AF3X v3.2)

Ubiquiti Networks AF5 (Version: AF5 v3.2)

Ubiquiti Networks AF5U (Version: AF5 v3.2)

Ubiquiti Networks AF-5X (Version: AF5X v3.2.1)

Ubiquiti Networks AG-PRO-INS (Version: AirGWP v1.1.7)

Ubiquiti Networks airGateway (Version: AirGW v1.1.7)

Ubiquiti Networks airGateway-LR (Version: AirGW v1.1.7)

Ubiquiti Networks AMG-PRO (Version: AirGWP v1.1.7)

Ubiquiti Networks LBE-5AC-16-120 (Version: WA v7.2.4)

Ubiquiti Networks LBE-5AC-23 (Version: WA v7.2.4)

Ubiquiti Networks LBE-M5-23 (Version: XW v5.6.9/v6.0)

Ubiquiti Networks NBE-5AC-16 (Version: WA v7.2.4)

Ubiquiti Networks NBE-5AC-19 (Version: XC v7.2.4)

Ubiquiti Networks NBE-M2-13 (Version: XW v5.6.9/v6.0)

Ubiquiti Networks NBE-M5-16 (Version: XW v5.6.9/v6.0)

Ubiquiti Networks NBE-M5-19 (Version: XW v5.6.9/v6.0)

Ubiquiti Networks PBE-5AC-300 (Version: XC v7.2.4)

Ubiquiti Networks PBE-5AC-300-ISO (Version: XC v7.2.4)

Ubiquiti Networks PBE-5AC-400 (Version: XC v7.2.4)

Ubiquiti Networks PBE-5AC-400-ISO (Version: XC v7.2.4)

Ubiquiti Networks PBE-5AC-500 (Version: XC v7.2.4)

Ubiquiti Networks PBE-5AC-500-ISO (Version: XC v7.2.4)

Ubiquiti Networks PBE-5AC-620 (Version: XC v7.2.4)

Ubiquiti Networks PBE-M2-400 (Version: XW v5.6.9/v6.0)

Ubiquiti Networks PBE-M5-300 (Version: XW v5.6.9/v6.0)

Ubiquiti Networks PBE-M5-300-ISO (Version: XW v5.6.9/v6.0)

Ubiquiti Networks PBE-M5-400 (Version: XW v5.6.9/v6.0)

Ubiquiti Networks PBE-M5-400-ISO (Version: XW v5.6.9/v6.0)

Ubiquiti Networks PBE-M5-620 (Version: XW v5.6.9/v6.0)

Ubiquiti Networks R5AC-Lite (Version: XC v7.2.4)

Ubiquiti Networks R5AC-PRISM (Version: XC v7.2.4)

Ubiquiti Networks R5AC-PTMP (Version: XC v7.2.4)

Ubiquiti Networks R5AC-PTP (Version: XC v7.2.4)

Ubiquiti Networks RM2-Ti (Version: XW v5.6.9/v6.0)

Ubiquiti Networks RM5-Ti (Version: XW v5.6.9/v6.0)



Vendor contact timeline:


2016-11-22: Contacting vendor via HackerOne

2016-11-22: Vendor responds that XSS is out-of-scope and marked CSRF

as duplicate to: #73289

2016-11-23: Asking the vendor for a patch of #73289 and why XSS

is out-of-scope.

2016-11-25: Vendor responds that "#73289 may not be fixed for next release,

probably in the next development cycle" and XSS is out-of-

scope since it was found in legacy firmware.

2016-11-25: Asking for an estimated time frame for a fix of #73289

and whether we can publish the XSS.

2016-11-25: Vendor did not notice the affected TS-* products and

re-evaluates & confirms the found XSS. #73289 should be

released in the next stable version.

Vendor can not give a precise date.

2017-01-10: Asking the vendor for a patch and defined release of the

advisory for 2017-01-16 (concerning the SEC Consult

disclosure policy). Shifted the deadline to 2017-01-30

due to Christmas holidays; No answer.

2017-01-17: Asking for an update.

2017-01-17: Vendor excuses for the delay and responds that as this

issue is a low threat, there is no any estimated time of

arrival for new firmware at the moment.

2017-01-25: Informed the vendor that the advisory will be published on

2017-01-30 including the HackerOne reference number for the

CSRF and that the PoC will be removed.

2017-01-30: Public release of advisory





There is no fix available from the vendor yet as they consider it as low

priority. Check the vendor's website for future updates.





No workaround



Advisory URL:







SEC Consult Vulnerability Lab


SEC Consult

Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow

Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich


About SEC Consult Vulnerability Lab

The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It

ensures the continued knowledge gain of SEC Consult in the field of network

and application security to stay ahead of the attacker. The SEC Consult

Vulnerability Lab supports high-quality penetration testing and the evaluation

of new offensive and defensive technologies for our customers. Hence our

customers obtain the most current information about vulnerabilities and valid

recommendation about the risk profile of new technologies.



Interested to work with the experts of SEC Consult?

Send us your application www.sec-consult.com/en/Career.htm


Interested in improving your cyber security with the experts of SEC Consult?

Contact our local offices www.sec-consult.com/en/About/Contact.htm



Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult


EOF T. Weber / @2017