SEC Consult SA-20170724-1 :: Open Redirect issue in multiple Ubiquiti Networks products

--qwq3QNeUxVu5T15edRm59PCmOHNWnxRQV
Content-Type: multipart/mixed; boundary="IuSxp957QrupagHcVAShWtlBnEjc7wt6m";
 protected-headers="v1"
From: SEC Consult Vulnerability Lab <research@sec-consult.com>
To: bugtraq@securityfocus.com, fulldisclosure@seclists.org
Message-ID: <11d8f297-b1ff-562f-e372-eb4f7a2bf792@sec-consult.com>
Subject: SEC Consult SA-20170724-1 :: Open Redirect issue in multiple Ubiquiti
 Networks products

--IuSxp957QrupagHcVAShWtlBnEjc7wt6m
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

SEC Consult Vulnerability Lab Security Advisory < 20170724-1 >
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
              title: Open Redirect in Login Page
            product: Multiple Ubiquiti Networks products, e.g.
                     TS-16-CARRIER, TS-5-POE, TS-8-PRO, AG-HP-2G16,
                     AG-HP-2G20, AG-HP-5G23, AG-HP-5G27, AirGrid M,
                     AirGrid M2, AirGrid M5, AR, AR-HP, BM2HP, BM2-Ti,
                     BM5HP, BM5-Ti, LiteStation M5, locoM2, locoM5,
                     locoM9, M2, M3, M365, M5, M900, NB-2G18, NB-5G22,
                     NB-5G25, NBM3, NBM365, NBM9, NSM2, NSM3, NSM365,
                     NSM5, PBM10, PBM3, PBM365, PBM5, PICOM2HP,
                     Power AP N
 vulnerable version: AirOS 6.0.1 (XM), 1.3.4 (SW)
      fixed version: AirOS 6.0.3 (XM), 1.3.5 (SW)
         CVE number:
             impact: Low
           homepage: https://www.ubnt.com/
              found: 2017-03-22
                 by: T. Weber (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Montreal - Moscow
                     Singapore - Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Vendor description:
-------------------
"Ubiquiti Networks develops high-performance networking
technology for service providers and enterprises. Our technology
platforms focus on delivering highly advanced and easily deployable
solutions that appeal to a global customer base in underserved and
underpenetrated markets."

Source: http://ir.ubnt.com/

Business recommendation:
------------------------
SEC Consult recommends not to use the devices in production until a thoro=
ugh
security review has been performed by security professionals and all
identified issues have been resolved.


Vulnerability overview/description:
-----------------------------------
1) Open Redirect in Login Page - HackerOne #158287
A open redirect vulnerability can be triggered by luring an attacked user=
 to
authenticate to a Ubiquiti AirOS device by clicking on a crafted link.
This vulnerability was found earlier by another bug bounty participant
on HackerOne. It was numbered with #158287.

Proof of concept:
-----------------
http://<IP-of-Device>/login.cgi?uri=3Dhttps://www.sec-consult.com

After a successful login, the user will be redirected to

https://www.sec-consult.com.

Vulnerable / tested versions:
-----------------------------
Ubiquiti Networks AirRouter (v6.0.1)
Ubiquiti Networks TS-8-PRO (v1.3.4)

Based on information embedded in the firmware of other Ubiquiti products
gathered from our IoT Inspector tool we believe the following devices are=

affected as well:
Ubiquiti Networks LBE-M5-23 (Version: XW v6.0.1)
Ubiquiti Networks NBE-M2-13 (Version: XW v6.0.1)
Ubiquiti Networks NBE-M5-16 (Version: XW v6.0.1)
Ubiquiti Networks NBE-M5-19 (Version: XW v6.0.1)
Ubiquiti Networks PBE-M2-400 (Version: XW v6.0.1)
Ubiquiti Networks PBE-M5-300 (Version: XW v6.0.1)
Ubiquiti Networks PBE-M5-300-ISO (Version: XW v6.0.1)
Ubiquiti Networks PBE-M5-400 (Version: XW v6.0.1)
Ubiquiti Networks PBE-M5-400-ISO (Version: XW v6.0.1)
Ubiquiti Networks PBE-M5-620 (Version: XW v6.0.1)
Ubiquiti Networks RM2-Ti (Version: XW v6.0.1)
Ubiquiti Networks RM5-Ti (Version: XW v6.0.1)

Vendor contact timeline:
------------------------
2017-03-22: Contacting vendor via HackerOne.
2017-03-22: Vendor marked open redirect as duplicate to: #158287
            The contact also states that this issue will be resolved
            in the next release.
2017-05-05: Found updates (6.0.3 and 1.3.5) on the website of the vendor
            and confirmed the fix - provide at least 90 days for
            customers to apply the patch.
2017-05-15: Contacted vendor via e-mail and set the publication date
            to 2017-07-24.
2017-07-24: Public release of security advisory

Solution:
---------
Upgrade to firmware version 6.0.3 (XM), 1.3.5 (SW) or later.


Workaround:
-----------
No workaround


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. I=
t
ensures the continued knowledge gain of SEC Consult in the field of netwo=
rk
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evalu=
ation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and v=
alid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consu=
lt?
Contact our local offices https://www.sec-consult.com/en/About/Contact.ht=
m
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF T.Weber / @2017


--IuSxp957QrupagHcVAShWtlBnEjc7wt6m--

--qwq3QNeUxVu5T15edRm59PCmOHNWnxRQV
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJZdk2+AAoJEC0t17XG7og/iGUP/3vpe7P+gz+kwakXYWmmnigx
p4DSDYgLmQzTIarsGbo8V86BNO5I3x4trSF83TngNl/GDMb/mAgiB4MMxQySPjB6
kHeE6N1Za5Wgpc1B+FT2ZCjGscLtB8cGciTpzhiPmEWg5qaK4WjNAnAqVrA5J9xP
f1Z7aD2LjX94spOaYcRetrbtoZFOqV1tNl7PQiihc6pxTPWVMmlRZ1H/L8l2rr2j
xpSmQT0e4HNK4dyRtr2S0EEwDzc0UmHct+t4J9D2hRrFRM/imDfkdhmi9LL/lovC
0C89Ndw9AXDgUKYa/SqkcZf02Preaf3gGbtY57zw2ypjt4wElxVwAm66bkfK/6bZ
nLa1rWlgzaLB6C4ec6j5wnwyK8FriwoQmLl2/qgRU2trszek2JEIE0aMH2QUssl6
lrsbgOg/J1c86RPzFJU+YW/K1KHqA8IeFJ2YGZ58xqFCbaJaFNP2WVyDI0rSjVsp
SumT8+Vr7AyGDHNA3kGkpx5EwPDXu/+jkw68xyXvGKEbVSYV9aLQGBPe7bkfW2qx
cVgN+XKbZj1vSIGFdbLCI7D7W/AygXFOy4Nj8G17s2CI0kXFzWRqzW4bCgSnz07z
u9ZFn5A99DC1Qh+TbsP4Gj10EEg00xcJXKfpt1yOVoUMQPX7UnerD1JIIpXQ2cVG
9SfaE+osw2hub76bMYJX
=hOD1
-----END PGP SIGNATURE-----

--qwq3QNeUxVu5T15edRm59PCmOHNWnxRQV--