Friday March 17, 2017

Ubiquiti Routing Products Vulnerable to Hijack due to Use of 20 Year Old Version of PHP

Many of our pro-sumer readers, myself included, have come to like Ubiquiti Networks products over the years for their enterprise-like reliability and management capabilities, but their consumer-like pricing. I should know, I am one of them. The Reg has a story up that might cast some doubt on just how much we should trust them though.

Apparently the web interface of a good chunk of Ubiquiti's routers rely on a version of PHP released in 1997, lacking in modern security features. This allows a command injection attack on the web interface. To be fair, this does rely on a user with credentials being logged in to the web interface, and at the same time clicking on a malicious link, but even so, leaving 20 year old known vulnerabilities open on your enterprise grade routing hardware seems somewhat inexcusable to me. You would think that a company marketing its products to enterprise customers would be a little bit more serious about security.

You can find more details and a list of potentially affected hardware in SEC's Advisory.

This isn't the first time Ubiquiti customers have been left with an unfixed security cockup by their supplier. A previous flaw was finally patched by a third party back in 2015 after the company failed to fix it in time, despite proof of concept code being in wide circulation.

Then again, security doesn't seem to be Ubiquiti's strong point. The firm lost $46.7m in 2015 when it fell prey to an invoice scammer and sent the money - most of which it couldn't recover - to banks in Asia. Ubiquiti's chief accounting officer resigned shortly afterwards.