Ubiquiti called out for security flaw

When it comes to evaluating networking devices (routers, Access Points, switches), almost everyone focuses on the hardware. Not me. My RouterSecurity.org site is devoted to software.

But, there is yet another crucial aspect to evaluating devices - the personality of the company behind it. Specifically, how it reacts to the inevitable software flaws.

At the end of 2016 assorted bugs in Netgear routers were made far worse by the company's slow reaction. Now, Netgear has a whole new procedure for dealing with bug reports. Time will tell how well it works.

This week, the focus is on Ubiquiti Networks. Over at SmallNetBuilder.com, Tim Higgins just reviewed their latest access points and started off the review pointing out how popular Ubiquiti access points are with the Ars Technica crowd. 

But, a Vienna, Austria-based security firm, SEC Consult, which has reported router flaws in the past, just reported a bug in 4 Ubiquiti devices. They believe the bug also exists in another 38 devices. 

The flaw, in pingtest_action.cgi, allows authenticated users to inject arbitrary commands into the web interface. It's not a brutally critical thing. 

The most interesting aspect of the Security Advisory, to me, was the "Vendor contact timeline." Below is an incomplete and edited copy of it. 

VENDOR CONTACT TIMELINE
Nov 22, 2016: Initial bug report
Nov 22, 2016: Ubiquiti considers the bug a duplicate of bug #143447
Nov 25, 2016: Ubiquiti says that bug #143447 should be fixed in the next firmware release
Jan 10, 2017: SEC Consult asks for a patch. No answer.
Jan 17, 2017: SEC Consult asks for an update. Ubiquiti says the Proof of Concept hack does not work.
Jan 18, 2017: SEC Consult explains their Proof of Concept again
Jan 19, 2017: Ubiquiti says they received a similar report and assumed a duplication. They tell SEC Consult that the Proof of Concept never worked and did not make any sense.
Jan 20, 2017: SEC Consult uploads a video showing command injection on an up-to-date device
Jan 21, 2017: Ubiquiti responds that they were able to reproduce the problem. They also posted the real cause.
Jan 24, 2017: SEC Consult asks whether the vulnerability is a duplicate of #143447
Jan 24, 2017: Ubiquiti says it is not and that this issue will be fixed as soon as possible.
Feb 3, 2017: SEC Consult asks for a status update. No answer.
Feb 21, 2017: SEC Consult asks for a status update. No answer.
March 1, 2017: SEC Consult tells Ubiquiti that they will go public with the flaw in two weeks. No answer.
March 16, 2017: SEC Consult goes public 

Four months, no bug fix. Update: Not exactly, see below.

Back in November, Lucian Constantin of IDG, the same reporter who just wrote about the Ubiquiti flaw, had a story in PC World about a flaw in a router from my favorite router vendor, Peplink.

The two cases could not be more different.

Constantin reported that the person who reported the flaw "was impressed with how Peplink responded to his report and how the company handled the vulnerability." A Motherboard article said basically the same thing and added that Peplink gave the person who reported the flaw a free router as a gesture of good will. 

No one expects software to be perfect. I have run into a couple software problems with the Peplink routers I maintain. But reporting the problems was easy and the assistance from tech support was all that anyone could hope for.

That's what you want in a vendor. 

Personally, I use and recommend the Pepwave Surf SOHO. It's the cheapest router Peplink offers. How fast is the Wi-Fi? I haven't tested it. What's the Wi-Fi range? I don't care. Can it handle a 200 Mbps connection to the Internet? No. Is it dual-band? Mine is not (new ones are). Can the USB port be used for file sharing? No. How secure is it? Much more than your router. 

- - - - -

UPDATE March 20, 2017. An article in The Register, Ubiquiti network gear can be 'hijacked by an evil URL' – thanks to its 20-year-old PHP build has two responses from Ubiquiti. The first includes this: "There was unfortunately a communication breakdown"  and the second includes this: 

we ... are in the process of fixing this vulnerability for all products affected. We have already released updates that resolve the issue for 37 out of the 44 products mentioned by SEC Consult (the first update for airMAX 11ac products was released on February 3, 2017) and we are very close to releasing another update for the remaining seven products mentioned in the report.

A long thread in a Ubiquiti forum on this, Unpatched hole in AirOS, was started March 16, 2017. Page 5 has a long response from a Ubiquiti Employee identified as UBNT-Brandon. In that post, Brandon admits to a communication breakdown. He adds that UniFi and EdgeMAX were not impacted. The airMAX AC was patched and a stable release was issued months before. Quoting: "airMAX 11n and associated patched months before, soaking in testing. Triaged and released to stable day after that posting." 

Anther forum posting AirOS Vulnerability Issue Update, 3/18/17 by a Ubiquiti Employee identified as Robert notes that UniFi, EdgeMAX and AmpliFi are not affected. As for AirOS, it offers the current status for AirOS v8.0.1 and v6.0.1, AirGateway v1.1.8, TOUGHSwitch v.1.3.4 and airFiber v3.2.2 and v3.4.1. Four of these five systems had patches released that day (March 18th). 

UPDATE March 23, 2017. Ubiquiti sent this note in a newsletter to their customers:   Addressing Security Concerns. It says that this flaw "rates fairly low in terms of threat severity " and I agree. It also mentions a "php2 code concern" which is another matter entirely - their firmware included a very very old version of PHP. 

- - - - - 

Now that Computerworld, and all of parent company IDG's websites, have eliminated user comments, you can get in touch with me privately by email at my full name at Gmail. Public comments can be directed to me on twitter at @defensivecomput

Related:
Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon