SEC Consult Vulnerability Lab Security Advisory < 20170130-0 >
=======================================================================
title: XSS & CSRF vulnerabilities
product: Multiple Ubiquiti Networks products, e.g.
TS-16-CARRIER, TS-5-POE, TS-8-PRO, AG-HP-2G16,
AG-HP-2G20, AG-HP-5G23, AG-HP-5G27, AirGrid M,
AirGrid M2, AirGrid M5, AR, AR-HP, BM2HP, BM2-Ti,
BM5HP, BM5-Ti, LiteStation M5, locoM2, locoM5,
locoM9, M2, M3, M365, M5, M900, NB-2G18, NB-5G22,
NB-5G25, NBM3, NBM365, NBM9, NSM2, NSM3, NSM365,
NSM5, PBM10, PBM3, PBM365, PBM5, PICOM2HP,
Power AP N, PicoStation2, PicoStation2HP
vulnerable version: v1.3.3 (SW), v5.6.9/v6.0 (XM), v4.0.4 (XS2)
fixed version: -
CVE number: -
impact: Medium
homepage: www.ubnt.com
found: 2016-11-22
by: T. Weber (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
=======================================================================
Vendor description:
-------------------
"Ubiquiti Networks develops high-performance networking
technology for service providers and enterprises. Our technology
platforms focus on delivering highly advanced and easily deployable
solutions that appeal to a global customer base in underserved and
underpenetrated markets."
Source: ir.ubnt.com
Business recommendation:
------------------------
SEC Consult recommends to perform a thorough security review conducted by
security professionals to identify and resolve all security issues.
Vulnerability overview/description:
-----------------------------------
1) Reflected Cross Site Scripting (XSS)
This vulnerability is present on the following devices:
TS-16-CARRIER, TS-5-POE, TS-8-PRO - v1.3.3 (SW)
PicoStation2, PicoStation2HP - v4.0.4 (XS2) (End of Life)
Ubiquiti does not properly encode parameters which are reflected on the
login page of the devices. This leads to cross site scripting. An attacker
can abuse these vulnerabilities to steal cookies from the attacked user in
order to login remotely on the device.
An attacker is also able to perform actions in the context of the attacked user.
2) Cross Site Request Forgery (CSRF) - HackerOne #73289
Ubiquiti implemented CSRF protection tokens in POST requests which are sent
in context of the tabs "system" and "network" but they did not implement
tokens in GET requests or other POST requests. Therefore an attacker is
able to call "cgi" scripts by luring the attacked user to click on a crafted
link.
This vulnerability was found earlier by another bug bounty participant
on HackerOne. It was numbered with #73289. The status of this bug is unknown.
Proof of concept:
-----------------
The vendor considers this as low priority, hence there is no fix available and a
date for a patch has not been defined by the vendor.
The proof of concept has been removed from this advisory.
Vulnerable / tested versions:
-----------------------------
The following devices and firmware versions have been tested:
TS-8-PRO - v1.3.3 (SW) - (CSRF, XSS)
PicoStation2, PicoStation2HP - v4.0.4 (XS2) - (CSRF, XSS) (End of Life)
(Rocket) M5 - v5.6.9/v6.0 (XM) - (CSRF)
(PicoStationM2HP) PICOM2HP - v5.6.9/v6.0 (XM) - (CSRF)
(NanoStationM5) NSM5 - v5.6.9/v6.0 (XM) - (CSRF)
Based on information embedded in the firmware of other Ubiquiti products
gathered from our IoT Inspector tool for automated firmware analysis
we believe the following devices are affected at least by CSRF as well:
Ubiquiti Networks AF24 (Version: AF24 v3.2)
Ubiquiti Networks AF24HD (Version: AF24 v3.2)
Ubiquiti Networks AF-2X (Version: AF2X v3.2 )
Ubiquiti Networks AF-3X (Version: AF3X v3.2)
Ubiquiti Networks AF5 (Version: AF5 v3.2)
Ubiquiti Networks AF5U (Version: AF5 v3.2)
Ubiquiti Networks AF-5X (Version: AF5X v3.2.1)
Ubiquiti Networks AG-PRO-INS (Version: AirGWP v1.1.7)
Ubiquiti Networks airGateway (Version: AirGW v1.1.7)
Ubiquiti Networks airGateway-LR (Version: AirGW v1.1.7)
Ubiquiti Networks AMG-PRO (Version: AirGWP v1.1.7)
Ubiquiti Networks LBE-5AC-16-120 (Version: WA v7.2.4)
Ubiquiti Networks LBE-5AC-23 (Version: WA v7.2.4)
Ubiquiti Networks LBE-M5-23 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks NBE-5AC-16 (Version: WA v7.2.4)
Ubiquiti Networks NBE-5AC-19 (Version: XC v7.2.4)
Ubiquiti Networks NBE-M2-13 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks NBE-M5-16 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks NBE-M5-19 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-5AC-300 (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-300-ISO (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-400 (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-400-ISO (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-500 (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-500-ISO (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-620 (Version: XC v7.2.4)
Ubiquiti Networks PBE-M2-400 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-M5-300 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-M5-300-ISO (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-M5-400 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-M5-400-ISO (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-M5-620 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks R5AC-Lite (Version: XC v7.2.4)
Ubiquiti Networks R5AC-PRISM (Version: XC v7.2.4)
Ubiquiti Networks R5AC-PTMP (Version: XC v7.2.4)
Ubiquiti Networks R5AC-PTP (Version: XC v7.2.4)
Ubiquiti Networks RM2-Ti (Version: XW v5.6.9/v6.0)
Ubiquiti Networks RM5-Ti (Version: XW v5.6.9/v6.0)
Vendor contact timeline:
------------------------
2016-11-22: Contacting vendor via HackerOne
2016-11-22: Vendor responds that XSS is out-of-scope and marked CSRF
as duplicate to: #73289
2016-11-23: Asking the vendor for a patch of #73289 and why XSS
is out-of-scope.
2016-11-25: Vendor responds that "#73289 may not be fixed for next release,
probably in the next development cycle" and XSS is out-of-
scope since it was found in legacy firmware.
2016-11-25: Asking for an estimated time frame for a fix of #73289
and whether we can publish the XSS.
2016-11-25: Vendor did not notice the affected TS-* products and
re-evaluates & confirms the found XSS. #73289 should be
released in the next stable version.
Vendor can not give a precise date.
2017-01-10: Asking the vendor for a patch and defined release of the
advisory for 2017-01-16 (concerning the SEC Consult
disclosure policy). Shifted the deadline to 2017-01-30
due to Christmas holidays; No answer.
2017-01-17: Asking for an update.
2017-01-17: Vendor excuses for the delay and responds that as this
issue is a low threat, there is no any estimated time of
arrival for new firmware at the moment.
2017-01-25: Informed the vendor that the advisory will be published on
2017-01-30 including the HackerOne reference number for the
CSRF and that the PoC will be removed.
2017-01-30: Public release of advisory
Solution:
---------
There is no fix available from the vendor yet as they consider it as low
priority. Check the vendor's website for future updates.
Workaround:
-----------
No workaround
Advisory URL:
-------------
www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: www.sec-consult.com
Blog: blog.sec-consult.com
Twitter: twitter.com/sec_consult
EOF T. Weber / @2017