SEC Consult Vulnerability Lab Security Advisory < 20151105-0 > ======================================================================= title: Insecure default configuration product: various Ubiquiti Networks products vulnerable version: see Vulnerable / tested versions fixed version: none available impact: High homepage: https://www.ubnt.com/ found: 2015-08-17 by: Stefan Viehböck (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Berlin - Frankfurt/Main - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- Ubiquiti Networks develops high-performance networking technology for service providers and enterprises. Our technology platforms focus on delivering highly advanced and easily deployable solutions that appeal to a global customer base in underserved and underpenetrated markets. Source: http://ir.ubnt.com/ Vulnerability overview/description: ----------------------------------- 1) Hardcoded cryptographic keys A certificate including its private key is embedded in the firmware of several Ubiquiti Networks products. The certificate is used for HTTPS (default server certificate for web based management). Impersonation, man-in-the-middle or passive decryption attacks are possible. These attacks allow an attacker to gain access to sensitive information like admin credentials and use them in further attacks. Furthermore searching for the certificate fingerprint in data from internet-wide scans is a low-cost way of finding the IPs of specific products/product groups and allows an attacker to exploit vulnerabilities at scale. 2) Remote management enabled by default The remote management interface is enabled by default. This allows attackers to exploit vulnerabilities in the device firmware as well as weak credentials set by the user. Further information can also be found in our blog post: http://blog.sec-consult.com/2015/11/the-omnipresence-of-ubiquiti-networks.html Proof of concept: ----------------- 1) Hardcoded cryptographic keys OpenSSL text output for the certificate: Certificate: Data: Version: 1 (0x0) Serial Number: 13408895465235657399 (0xba15f761dbb7b2b7) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT/emailAddress=support@ubnt.com Validity Not Before: Jun 2 08:35:02 2011 GMT Not After : Jan 1 08:35:02 2020 GMT Subject: C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc., OU=Technical Support, CN=UBNT/emailAddress=support@ubnt.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:be:09:9f:14:3a:f7:ee:e5:8a:c9:76:b2:26:17: 00:7b:0c:85:1c:94:8e:bd:7f:f5:a1:a5:6d:0a:2c: 64:cc:7f:78:bc:11:ee:dc:d9:e6:2a:cb:e1:9e:d8: 17:a6:9c:35:aa:da:c5:c1:3a:a5:48:dc:af:bc:99: 37:59:7e:88:3c:2c:d3:bb:e7:60:6d:e3:19:f9:4e: 18:4c:4c:3a:fd:5e:35:6f:a3:50:b9:50:c0:8e:8b: fa:a0:ee:c4:96:c5:ba:4e:ed:d8:f1:18:05:36:89: 54:c2:dc:27:eb:75:74:1c:be:9a:4c:c8:e5:ce:fe: 47:44:96:a7:af:10:07:eb:15 Exponent: 65537 (0x10001) Signature Algorithm: sha1WithRSAEncryption 00:5a:31:81:3a:15:6d:30:95:8d:03:91:47:aa:23:e2:b4:c0: 2e:d4:01:cd:d5:21:6b:69:5e:3c:71:27:10:1c:f5:87:d4:28: 19:17:c2:3d:ec:36:fd:ee:93:07:8f:0b:30:65:0e:28:35:6c: 25:9e:d8:24:16:85:65:29:da:47:df:30:09:84:33:2c:b4:b4: fa:f0:24:40:b9:ee:1e:f0:1c:33:c3:e1:06:70:2e:6b:fe:a0: d0:aa:81:6f:cf:1b:70:67:43:01:32:a0:da:bc:8c:a8:91:f3: cb:b1:97:30:04:f2:c6:77:e8:89:97:2c:d3:1f:cf:03:f1:fc: 36:fa Certificate: -----BEGIN CERTIFICATE----- MIICrTCCAhYCCQC6Ffdh27eytzANBgkqhkiG9w0BAQUFADCBmjELMAkGA1UEBhMCV VMxCzAJBgNVBAgTAkNBMREwDwYDVQQHEwhTYW4gSm9zZTEfMB0GA1UEChMWVWJpcX VpdGkgTmV0d29ya3MgSW5jLjEaMBgGA1UECxMRVGVjaG5pY2FsIFN1cHBvcnQxDTA LBgNVBAMTBFVCTlQxHzAdBgkqhkiG9w0BCQEWEHN1cHBvcnRAdWJudC5jb20wHhcN MTEwNjAyMDgzNTAyWhcNMjAwMTAxMDgzNTAyWjCBmjELMAkGA1UEBhMCVVMxCzAJB gNVBAgTAkNBMREwDwYDVQQHEwhTYW4gSm9zZTEfMB0GA1UEChMWVWJpcXVpdGkgTm V0d29ya3MgSW5jLjEaMBgGA1UECxMRVGVjaG5pY2FsIFN1cHBvcnQxDTALBgNVBAM TBFVCTlQxHzAdBgkqhkiG9w0BCQEWEHN1cHBvcnRAdWJudC5jb20wgZ8wDQYJKoZI hvcNAQEBBQADgY0AMIGJAoGBAL4JnxQ69+7lisl2siYXAHsMhRyUjr1/9aGlbQosZ Mx/eLwR7tzZ5irL4Z7YF6acNaraxcE6pUjcr7yZN1l+iDws07vnYG3jGflOGExMOv 1eNW+jULlQwI6L+qDuxJbFuk7t2PEYBTaJVMLcJ+t1dBy+mkzI5c7+R0SWp68QB+s VAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAAFoxgToVbTCVjQORR6oj4rTALtQBzdUh a2lePHEnEBz1h9QoGRfCPew2/e6TB48LMGUOKDVsJZ7YJBaFZSnaR98wCYQzLLS0+ vAkQLnuHvAcM8PhBnAua/6g0KqBb88bcGdDATKg2ryMqJHzy7GXMATyxnfoiZcs0x /PA/H8Nvo= -----END CERTIFICATE----- Private Key: -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQC+CZ8UOvfu5YrJdrImFwB7DIUclI69f/WhpW0KLGTMf3i8Ee7c2 eYqy+Ge2BemnDWq2sXBOqVI3K+8mTdZfog8LNO752Bt4xn5ThhMTDr9XjVvo1C5UM COi/qg7sSWxbpO7djxGAU2iVTC3CfrdXQcvppMyOXO/kdElqevEAfrFQIDAQABAoG AGS2XKQwDC2DYOYcDZW6IvsTS4g2At/S7K5aKUt284SdGbMyHdDVefG8UzoHc6FMr /R4NM2O8wGGU2w0Fu1K7Y9rU3ffBT6oL69n1FzL5BWcxoOnoSjuvWZExFy8p8/1BT /m0e9jsmGSVmFnniCI/ha7rKRQN+7GT8LsVjliSguUCQQD2B2sbtNSVynhIpdJVnq jOAkLGUqX/CNUxgoPc2cC769pB4+iTqy/cRw8N5yY2YO/uTXxjWNeYI4wM3ydciVq LAkEAxb1JBfMkNwEVHhEtoVbyLCnbAL/NrmyYHDYep5GHIsyP4kfVnhPCTMNCjBE+ MRSmtmOiR3JhWA64TTeMzEOk3wJAaQq/y0OIpC+e7X2G8TFdZx+F/QDaiKnvxESyI gACjvli5VD2Qt4LACSCo+/126/FoNwKaKxM2FMM/43jU1n9gwJAcbvox3pNJzIBMn UQ+M6opkxAwhKQPDYL25YpVZp3zsU4MR++N5kH1d0tZqD4U4ScSyXNjii04tA8o3V DD64MowJBANI9Uadjw2fwWJvRtdpbJYOEtb4+pN7isj/lMBlxh/f4APAQRzVACoZR kwc9O1CJGXEV9oLEvIavpTJaeQFhw44= -----END RSA PRIVATE KEY----- 2) Remote management enabled by default Remote management is available via SSH, HTTP and HTTPS. Vulnerable / tested versions: ----------------------------- This vulnerability is not dependent on specific products/versions. We found the certificate and private key in firmware for at least the following products: AF-5X, AF24, AF24HD, AF5, AF5U, AG-HP-2G16, AG-HP-5G23, AG-HP-5G27, AR, AR-HP, AirGrid M2, AirGrid M5, BM2-Ti, BM2HP, BM5-Ti, BM5HP, Bullet 2, Bullet 2 HP, Bullet 5, LS2, LS5, LiteStation M5, M2, M3, M365, M5, M900, MiniStation2, NB-2G18, NB-5G25, NBE-5AC-19, NBE-M5-16, NBE-M5-19, NBM3, NBM365, NBM9, NS2, NS5, NSM2, NSM3, NSM365, NSM5, NanoStation 2 Loco, NanoStation 5 Loco, PBE-5AC-500, PBE-5AC-620, PBE-M2-400, PBE-M5-300, PBE-M5-400, PBM10, PBM3, PBM365, PBM5, PicoStation2, PicoStation2HP, PicoStation5, Power AP N, PowerStation 2, PowerStation 5, R5AC-Lite, R5AC-PTMP, R5AC-PTP, RM2-Ti, RM5-Ti, TS-16-CARRIER, TS-5-POE, TS-8-PRO, WispStation5, airGateway, airGateway PRO, airGateway-LR, locoM2, locoM5, locoM9 Vendor contact timeline: ------------------------ 2015-08-17: Contacting vendor through security@ubnt.com. 2015-08-17: Auto-response: Vulnerability reports are processed via HackerOne. 2015-08-18: Reporting vulnerability via HackerOne (#83038, #83039) 2015-09-22: Vendor responds, enhancement to generate unique certificates will be added. 2015-10-23: HackerOne ticket closed by ubnt 2015-11-05: No further responses received. Release of the advisory. Solution: --------- Not available. Workaround: ----------- 1) Hardcoded cryptographic keys Generate and import a device-specific certificate. 2) Remote management enabled by default Disabled all methods for remote management and use strong passwords. Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Berlin - Frankfurt/Main - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Stefan Viehböck / @2015