Categories: News

by peter

Share

Remote Code Execution on Unifi devices

We, and the Gibraltar CERT, are currently monitoring several exploited Unify network appliances throughout Gibraltar. A new exploit against Unify network devices, of which there is a large number within Gibraltar, was observed on the 20th of January of this year. We became aware today that an exploit has been published on the internet and is now in general circulation. I expect to start to see wide-scale exploitation of these appliances in the next five days.

Why is this an issue?

On the 23rd of January we provided a working remote code execution PoC (Proof of Concept) exploit for Unifi devices to the Ubiqiti that would allow an unauthenticated attacker to bypass security controls and join protected networks.

What we have been seeing in a number of cases is the following:

POST /api/login HTTP/2Host: 192.168.77.1Content-Length: 109Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="96"...{"username":"testpoc","password":"anything","remember":"","strict":true}

For an in-depth look at how this exploit works, and to get a working PoC, check out the work by puzzlepeaches at https://github.com/puzzlepeaches/Log4jUnifi

What do people need to do?

If you use Unify or any Ubiquiti application, contact your IT support company and ensure that the devices have been updated to the latest version. If you are unsure of whether your devices need to be updated, contact us at support@wearehedgehog.com and we will check for you.

As always, Hedgehog Security and our CERT team are here to help. If you have any questions, just let us know. We love talking about penetration testing and cyber security testing.

Categories: News