back to article Ubiquiti network gear can be 'hijacked by an evil URL' – thanks to its 20-year-old PHP build

Security researchers have gone public with details of an exploitable flaw in Ubiquiti's wireless networking gear – after the manufacturer allegedly failed to release firmware patches. Austrian-based bods at SEC Consult Vulnerability Lab found the programming cockup in November and contacted Ubiquiti – based in San Jose, …

  1. Chris King

    Seems to be mostly AirMax products...

    The EdgeMax kit (EdgeRouter/EdgeSwitch/EdgePoint) uses PHP 7.0 for its UI, and current UniFi controllers run 5.6.

    EdgeMax got some upgrade love when Rasmus Lerdorf bought an EdgeRouter:

    https://toys.lerdorf.com/archives/59-Upgrading-PHP-on-the-EdgeRouter-Lite.html

  2. Graham Dawson Silver badge

    I'm vaguely disturbed by the concept of a 20 year-old PHP build...

    1. streaky

      Yet totally and completely unsurprised?

      1. Tim Bates

        W

        Why would anyone be surprised. There's plenty of elderly software out there, especially in embedded systems. Even in brand new devices.

        The only genuinely surprising thing here is that UBNT haven't acted... Actually, that's not surprising either (as much as I love their products, they do seem very touchy about being told they got something wrong).

        1. Justicesays

          Re: W

          "The only genuinely surprising thing here is that UBNT haven't acted... "

          I guess the challenge of rewriting all of their PHP 2 code into PHP 7 is somewhat daunting?

          Given they probably don't have anyone capable of doing it as otherwise why would they be running 20 year old PHP in the first place...

    2. Voland's right hand Silver badge

      Why?

      It is just typical for "embedded development". Packages? Updates? Security Fixes to components? Following the security of components?

      All of that does not fit into the viewpoint of your typical realtime embedditis damaged brain. Ubiquity is no different from most others - I have seen plenty of components 5-7 years past their "sell by" date floating around embedded trees. That is one of the reason why the first thing I do is to any wifi or home cpe is to flash it with a fresh OpenWRT build.

    3. Mpeler
      Paris Hilton

      Ubiquity

      Looks like the exploits coming up will be Ubiquitous...

      Paris, because she's ubiquitous, too...

    4. MNGrrrl

      > I'm vaguely disturbed by the concept of a 20 year-old PHP build...

      You should be disturbed: It didn't exist then. It wasn't PHP as you'd recognize it until a year or two later -- when it became more language and less... snot and bailing wire holding together a bunch of CGI scripts. But that's not really the depressing part: It's that they were making wireless networking gear out of some dude's scraps of code, which he wrote principally to track people viewing his resume online, before he even banged a few rocks together to mangle it into some semblance of a generic platform.

      This is rather like building an operating system using stuff you found in a nearby landfill. Oh, wait... That's already been done. Umm, insert another less conspicuous example here. *poofs*

  3. Johan-Kristian Wold 1

    Seriously needs an upgrade anyways...

    The latest and greatest controller software for the Ubiquiti doesn't run on Windows 10, either.

    1. Youngone Silver badge

      Re: Seriously needs an upgrade anyways...

      The latest and greatest controller software for the Ubiquiti doesn't run on Windows 10, either.

      That must be why it didn't work for me. Works fine on LinuxMint however, so I'm not too bothered.

    2. Tim Bates

      Re: Seriously needs an upgrade anyways...

      People run that on Windows? I mean I gave it a trial run on Windows before I bought any gear... But it went straight to it's own VM running Debian when it the equipment arrived.

  4. jake Silver badge

    20 year old PHP implementation?

    That's what, 140 dog years? Or roughly a dozen generations in Internet time? Whoever is in charge of that particular bit of stupidity should never work in the industry again ...

    1. Phil Kingston

      Re: 20 year old PHP implementation?

      Gonna stick my neck out and suggest that there ain't nothing wrong with using 20 year old code. If it's sound.

      What does show "stupidity" is running a web server as root. And to ignore bugs they're alerted to.

      1. Anonymous Coward
        Anonymous Coward

        @Phil Kingston - Re: 20 year old PHP implementation?

        Stupidity ? That's mild. I'd personally label it full blown idiocy.

      2. jake Silver badge

        Re: 20 year old PHP implementation?

        No, there is nothing inherently wrong with 20 year old code. I run an instance of a 30 year old OS. It's online[0], even. For small values of "online". It's a DEC PDP10 running TOPS10. It's serves an ancient MUD (and a few other old games like DECWAR) that I keep going for some friends. Invite only, sorry. The actual machine that users log into is one of the BSDs, which acts kinda like a terminal server for the PDP10, with an input sanitation function. And THAT is behind yet another BSD box that is configured as a stateful firewall ... Somebody will probably manage to break into the kludge eventually, but it'll hardly be an issue.

        But intentionally exposing to the TehIntraWebTubes a general purpose scripting language interpreter, from 20 years ago, that was barely in what I would consider Alpha release even back then? Intentionally for sale to the general public, in modern hardware? That is stupidity no matter how hard you squint at it.

    2. streaky

      Re: 20 year old PHP implementation?

      I wouldn't trust a build of *any* interpreter from 20 years ago doesn't matter what you think of PHP. Running as root is moot - once somebody is in any common priv escalation and you're gold.

      1. Tom 38

        Re: 20 year old PHP implementation?

        I wouldn't trust a build of *any* interpreter from 20 years ago doesn't matter what you think of PHP.

        I have no qualms still using csh on Solaris 2.5(?), which would be about 20 years old by now I'd have thought.

        1. jake Silver badge

          Re: 20 year old PHP implementation?

          Sure, Tom. But would you put Solaris 2.5 online, in a network facing environment?

        2. Down not across

          Re: 20 year old PHP implementation?

          I have no qualms still using csh on Solaris 2.5(?), which would be about 20 years old by now I'd have thought.

          I do. I wouldn't have any issue of using sh though.

          Not trying to start one of the oldest flamewars, just that I never liked c-shell.

  5. Anonymous Coward
    Anonymous Coward

    Can anyone tell me why this company's products are so hyped?

    Certain parts of the net would have you believe ubiquity is where you go if you want a premium product.

    1. SImon Hobson Bronze badge

      I wouldn't call them a premium product - but the reason we sell it and use it is that you get a lot for your money.

      There's still things I've put my name to on the wish-list (the way they've done wireless network groups doesn't make sense), but given that it's almost trivial to run a multi-site, multi-SSID, WiFi setup from one place - with APs that don't break the bank - it's pretty good kit that's generally easy to manage.

      We've found the hardware fairly reliable (I can only remember one failure so far), and when I needed support, it was good.

      And getting a couple of freeby* AC access points out of them didn't hurt either ;-)

      * I think they found their first production run had some issues, so they gave them away to people on their forums to help get some units in use and get feedback.

    2. localzuk Silver badge

      Price for featureset is pretty much the best out there. The pricing of UBNT stuff is amazingly low, and you get a heck of a lot for that.

    3. The obvious

      ...for a given value of 'premium' they are what people claim them to be.

      If, like many of those people, your only experience is the typical SOHO crap like the usual D-Link, Buffalo, and Netgear (not even mentioning the no-name crap) it is a vastly premium product set with some big-ticket features for a low price, and you can run the server end on a raspberry pi. Most of those people will never see a big wireless installation.

  6. Anonymous Coward
    Anonymous Coward

    If only this were all their problems

    This is a company with some great ideas and sh1t execution.

    A network company that doesn't understand the logical difference between a site and a network, so in one of their products they assign network attributes to sites, duh!

    As an organisation, they are a bunch of component engineers, with backgrounds with a strong emphasis on RF. They are like the blind men standing round an elephant, trying to describe it, as far as networks are concerned.

    Security is another world, as far as many of their software folk are concerned ("it doesn't matter that our little appliance has a duff security certificate"). They are not very good at looking after the business's money either.

    There is worse, but it is not for family site.

  7. Bronek Kozicki

    alternatives to Ubiquiti?

    I liked their approach for distributed AP, and was seriously considering buying two for my house. However seeing that they use technical equivalent of penny farthing (+ makeup to make it look more modern) for their web interface, I am no longer tempted. Who else is out there?

    1. Flakk

      Re: alternatives to Ubiquiti?

      In terms of cost, Ruckus is about mid-range. Their APs are more expensive than Ubiquiti, but about half the cost of enterprise-grade APs from Cisco or HP.

      Stability and performance have been good. I like the virtual wireless controller functionality.

    2. Mike123456

      Re: alternatives to Ubiquiti?

      You might look to Meraki.

      Free AP, with 3 year license for sitting through an online sales pitch.

      Bad side - in 3 years, pay for a license, or the product turns into a brick.

      I do believe you can Flash with DD WRT, but that's circumstantial to me. YMMV

      1. Crazy Operations Guy

        Re: alternatives to Ubiquiti?

        "Bad side - in 3 years, pay for a license, or the product turns into a brick."

        Would it be possible to listen to their sales pitch every three years? Timing's about right for an upgrade cycle...

    3. gtallan

      Re: alternatives to Ubiquiti?

      Mikrotik, maybe?

      1. Adam JC

        Re: The Need For Speed

        Whilst MikroTik do WiFi via routerboard, etc - It's not in the same league of the UniFi kit in terms of mass-management. (Obviously the MiktoTik kit is much more feature-packed with RouterOS).

        The attraction with the Ubiquiti managed AP's is that you can manage hundreds, or even thousands from a central point and there's no fees as with Cisco, Meraki et al. It knocks the socks off other vendors for cost-per-AP when it comes to function vs price.

        We've deployed just under 800 AP's to-date along with using their other PTP hardware and it's a refreshingly pleasant experience deploying the kit whether you're dropping one in a small office or deploying 20 in a hotel - It's literally childs play if you're even remotely competent in I.T which is why a lot of people like it. Despite this, some deployments still demand Ruckus or Cisco but for the bulk of it, Ubiquiti kit tends to be more than capable of most things.

    4. Crazy Operations Guy

      Re: alternatives to Ubiquiti?

      I've been thinking about getting some myself, does anyone know if this exploit could be stopped if the management interface is behind a firewall? Specifically, does the exploit need to be able to contact the management IP or would it work on any IP the device has?

      All of my management traffic is on its own network that lack Internet access, so I'm hoping I am safe.

  8. EnviableOne

    Pay peanuts

    The whole thing with Ubiquiti is they are cheap, if you want security and functionality you have to pay for it. there kit also uses a whole lot of proprietary hardware and makes a mockery of standardisation.

    1. Adam JC

      Re: Pay peanuts

      What exactly do you mean by the 'security and functionality' aspect? I'm able to use my own Thawte/Verisign SSL certificate to encrypt all traffic between the AP's we deploy and the controller. Don't see an issue with the security there.

      As for functionality, can you list anything specifically that the kit is lacking? I've not come across a scenario where the Ubiquiti kit can't do the same as it's much more expensive Cisco/Meraki/Aruba equivalent couldn't. (That's not to say I haven't used alternative brand kit out of personal preference sometimes regardless - I personally quite like the LigoWave/Deliberant Mach5 kit for some long range PTP link installs)

      Lastly, I think you'll find all the vendors have some form of their own take on 'standardisation' - Cisco, Meraki, Aruba all insist on you using their OWN cloudy hosting systems and charge a fee as such. And proprietary hardware? They use the same chips as everyone else.. Atheros AR-series chips for WiFi in the UniFi AP's for instance.. nothing proprietary there.

    2. The obvious

      Re: Pay peanuts

      You say that as if Cisco etc have never had a stupid vulnerability or "feature" like being able to rewrite the firmware remotely without authentication...

      1. Down not across

        Re: Pay peanuts

        You say that as if Cisco etc have never had a stupid vulnerability or "feature" like being able to rewrite the firmware remotely without authentication...

        Ok I bite.

        I take you're referring to the Smart Install (yes, I agree in principle that most things named Smart something rarely are). Whilst I agree that the feature (I don't agree it being called a vulnerability since the behaviour and risk is well documented in Cisco's documentation) could no doubt benefit from additional security features, we are in the end talking about an enterprise feature which presumably is being used by qualified personnel.

        Here is an excerpt from the doc linked to above:

        The absence of an authorization or authentication mechanism in the Smart Install protocol between the client and the director can allow a client to process crafted Smart Install messages as if these messages were from the Smart Install Director. These include the following:

        * Change the TFTP server address on Smart Install clients.

        * Copy the startup configuration of client switches to the previously-changed and attacker-controlled TFTP server.

        * Substitute the startup configuration of clients with a configuration created by the attacker, and forcing a reload of the clients after a configured time interval.

        * Upgrade the IOS image on client switches to an image supplied by the attacker.

        Execute arbitrary commands on client switches (applicable to Cisco IOS Release 15.2(2)E and later releases and Cisco IOS XE Release 3.6.0E and later releases.)

        While designing a Smart Install architecture, care should be taken such that the infrastructure IP address space is not accessible to untrusted parties. Design considerations are listed in the Security Best Practices section of this document.

        Let's face it, if you using this feature to provision kit into your network, why would you NOT add the no vstack into the config you push to new device?

  9. Oldspeak
    FAIL

    Quality journalism

    Worth noting that this doesn't effect any of the Unifi kit which almost all the media outlets chose to use to illustrate their stories. This is also the kit most people would have at home.

    Ubiquiti's product lines are more like completely separate companies, steer clear of the P2P and WISP kit.

    1. Anonymous Coward
      Anonymous Coward

      Re: Quality journalism

      The P2P/WISP kit isn't that bad really though as with everything you have to be a bit careful about compatibility with upgrades (some people have had stability problems between XM and XW airmax m devices with newer firmware).

      Is there any networking kit from any vendor where you'd consider it safe to expose the management interface to untrusted users? That goes on a separate vlan and blocked off, end of.

  10. TXITMAN

    Updates have been published

    Not that this is a tech forum, more a Politico thing at this point but here I go;

    YMMV. AirOS 8.0.1 did come out in February and does fix the vulnerability. AirOS, AirFiber, and AirMax updated over the weekend here with no issues.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon