SEC Consult Vulnerability Lab Security Advisory < 20170130-0 > ======================================================================= title: XSS & CSRF vulnerabilities product: Multiple Ubiquiti Networks products, e.g. TS-16-CARRIER, TS-5-POE, TS-8-PRO, AG-HP-2G16, AG-HP-2G20, AG-HP-5G23, AG-HP-5G27, AirGrid M, AirGrid M2, AirGrid M5, AR, AR-HP, BM2HP, BM2-Ti, BM5HP, BM5-Ti, LiteStation M5, locoM2, locoM5, locoM9, M2, M3, M365, M5, M900, NB-2G18, NB-5G22, NB-5G25, NBM3, NBM365, NBM9, NSM2, NSM3, NSM365, NSM5, PBM10, PBM3, PBM365, PBM5, PICOM2HP, Power AP N, PicoStation2, PicoStation2HP vulnerable version: v1.3.3 (SW), v5.6.9/v6.0 (XM), v4.0.4 (XS2) fixed version: - CVE number: - impact: Medium homepage: https://www.ubnt.com found: 2016-11-22 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Ubiquiti Networks develops high-performance networking technology for service providers and enterprises. Our technology platforms focus on delivering highly advanced and easily deployable solutions that appeal to a global customer base in underserved and underpenetrated markets." Source: http://ir.ubnt.com/ Business recommendation: ------------------------ SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues. Vulnerability overview/description: ----------------------------------- 1) Reflected Cross Site Scripting (XSS) This vulnerability is present on the following devices: TS-16-CARRIER, TS-5-POE, TS-8-PRO - v1.3.3 (SW) PicoStation2, PicoStation2HP - v4.0.4 (XS2) (End of Life) Ubiquiti does not properly encode parameters which are reflected on the login page of the devices. This leads to cross site scripting. An attacker can abuse these vulnerabilities to steal cookies from the attacked user in order to login remotely on the device. An attacker is also able to perform actions in the context of the attacked user. 2) Cross Site Request Forgery (CSRF) - HackerOne #73289 Ubiquiti implemented CSRF protection tokens in POST requests which are sent in context of the tabs "system" and "network" but they did not implement tokens in GET requests or other POST requests. Therefore an attacker is able to call "cgi" scripts by luring the attacked user to click on a crafted link. This vulnerability was found earlier by another bug bounty participant on HackerOne. It was numbered with #73289. The status of this bug is unknown. Proof of concept: ----------------- The vendor considers this as low priority, hence there is no fix available and a date for a patch has not been defined by the vendor. The proof of concept has been removed from this advisory. Vulnerable / tested versions: ----------------------------- The following devices and firmware versions have been tested: TS-8-PRO - v1.3.3 (SW) - (CSRF, XSS) PicoStation2, PicoStation2HP - v4.0.4 (XS2) - (CSRF, XSS) (End of Life) (Rocket) M5 - v5.6.9/v6.0 (XM) - (CSRF) (PicoStationM2HP) PICOM2HP - v5.6.9/v6.0 (XM) - (CSRF) (NanoStationM5) NSM5 - v5.6.9/v6.0 (XM) - (CSRF) Based on information embedded in the firmware of other Ubiquiti products gathered from our IoT Inspector tool for automated firmware analysis we believe the following devices are affected at least by CSRF as well: Ubiquiti Networks AF24 (Version: AF24 v3.2) Ubiquiti Networks AF24HD (Version: AF24 v3.2) Ubiquiti Networks AF-2X (Version: AF2X v3.2 ) Ubiquiti Networks AF-3X (Version: AF3X v3.2) Ubiquiti Networks AF5 (Version: AF5 v3.2) Ubiquiti Networks AF5U (Version: AF5 v3.2) Ubiquiti Networks AF-5X (Version: AF5X v3.2.1) Ubiquiti Networks AG-PRO-INS (Version: AirGWP v1.1.7) Ubiquiti Networks airGateway (Version: AirGW v1.1.7) Ubiquiti Networks airGateway-LR (Version: AirGW v1.1.7) Ubiquiti Networks AMG-PRO (Version: AirGWP v1.1.7) Ubiquiti Networks LBE-5AC-16-120 (Version: WA v7.2.4) Ubiquiti Networks LBE-5AC-23 (Version: WA v7.2.4) Ubiquiti Networks LBE-M5-23 (Version: XW v5.6.9/v6.0) Ubiquiti Networks NBE-5AC-16 (Version: WA v7.2.4) Ubiquiti Networks NBE-5AC-19 (Version: XC v7.2.4) Ubiquiti Networks NBE-M2-13 (Version: XW v5.6.9/v6.0) Ubiquiti Networks NBE-M5-16 (Version: XW v5.6.9/v6.0) Ubiquiti Networks NBE-M5-19 (Version: XW v5.6.9/v6.0) Ubiquiti Networks PBE-5AC-300 (Version: XC v7.2.4) Ubiquiti Networks PBE-5AC-300-ISO (Version: XC v7.2.4) Ubiquiti Networks PBE-5AC-400 (Version: XC v7.2.4) Ubiquiti Networks PBE-5AC-400-ISO (Version: XC v7.2.4) Ubiquiti Networks PBE-5AC-500 (Version: XC v7.2.4) Ubiquiti Networks PBE-5AC-500-ISO (Version: XC v7.2.4) Ubiquiti Networks PBE-5AC-620 (Version: XC v7.2.4) Ubiquiti Networks PBE-M2-400 (Version: XW v5.6.9/v6.0) Ubiquiti Networks PBE-M5-300 (Version: XW v5.6.9/v6.0) Ubiquiti Networks PBE-M5-300-ISO (Version: XW v5.6.9/v6.0) Ubiquiti Networks PBE-M5-400 (Version: XW v5.6.9/v6.0) Ubiquiti Networks PBE-M5-400-ISO (Version: XW v5.6.9/v6.0) Ubiquiti Networks PBE-M5-620 (Version: XW v5.6.9/v6.0) Ubiquiti Networks R5AC-Lite (Version: XC v7.2.4) Ubiquiti Networks R5AC-PRISM (Version: XC v7.2.4) Ubiquiti Networks R5AC-PTMP (Version: XC v7.2.4) Ubiquiti Networks R5AC-PTP (Version: XC v7.2.4) Ubiquiti Networks RM2-Ti (Version: XW v5.6.9/v6.0) Ubiquiti Networks RM5-Ti (Version: XW v5.6.9/v6.0) Vendor contact timeline: ------------------------ 2016-11-22: Contacting vendor via HackerOne 2016-11-22: Vendor responds that XSS is out-of-scope and marked CSRF as duplicate to: #73289 2016-11-23: Asking the vendor for a patch of #73289 and why XSS is out-of-scope. 2016-11-25: Vendor responds that "#73289 may not be fixed for next release, probably in the next development cycle" and XSS is out-of- scope since it was found in legacy firmware. 2016-11-25: Asking for an estimated time frame for a fix of #73289 and whether we can publish the XSS. 2016-11-25: Vendor did not notice the affected TS-* products and re-evaluates & confirms the found XSS. #73289 should be released in the next stable version. Vendor can not give a precise date. 2017-01-10: Asking the vendor for a patch and defined release of the advisory for 2017-01-16 (concerning the SEC Consult disclosure policy). Shifted the deadline to 2017-01-30 due to Christmas holidays; No answer. 2017-01-17: Asking for an update. 2017-01-17: Vendor excuses for the delay and responds that as this issue is a low threat, there is no any estimated time of arrival for new firmware at the moment. 2017-01-25: Informed the vendor that the advisory will be published on 2017-01-30 including the HackerOne reference number for the CSRF and that the PoC will be removed. 2017-01-30: Public release of advisory Solution: --------- There is no fix available from the vendor yet as they consider it as low priority. Check the vendor's website for future updates. Workaround: ----------- No workaround Advisory URL: ------------- https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/Career.htm Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/About/Contact.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF T. Weber / @2017