lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <c032a2a9-1320-5851-d9c7-ab9eec4dbf58@sec-consult.com>
Date: Mon, 30 Jan 2017 11:59:41 +0100
From: SEC Consult Vulnerability Lab <research@...-consult.com>
To: <fulldisclosure@...lists.org>, <bugtraq@...urityfocus.com>
Subject: [FD] SEC Consult SA-20170130-0 :: XSS & CSRF in multiple Ubiquiti
 Networks products

SEC Consult Vulnerability Lab Security Advisory < 20170130-0 >
=======================================================================
              title: XSS & CSRF vulnerabilities
            product: Multiple Ubiquiti Networks products, e.g.
                     TS-16-CARRIER, TS-5-POE, TS-8-PRO, AG-HP-2G16,
                     AG-HP-2G20, AG-HP-5G23, AG-HP-5G27, AirGrid M,
                     AirGrid M2, AirGrid M5, AR, AR-HP, BM2HP, BM2-Ti,
                     BM5HP, BM5-Ti, LiteStation M5, locoM2, locoM5,
                     locoM9, M2, M3, M365, M5, M900, NB-2G18, NB-5G22,
                     NB-5G25, NBM3, NBM365, NBM9, NSM2, NSM3, NSM365,
                     NSM5, PBM10, PBM3, PBM365, PBM5, PICOM2HP,
                     Power AP N, PicoStation2, PicoStation2HP
 vulnerable version: v1.3.3 (SW), v5.6.9/v6.0 (XM), v4.0.4 (XS2)
      fixed version: -
         CVE number: -
             impact: Medium
           homepage: https://www.ubnt.com
              found: 2016-11-22
                 by: T. Weber (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult
                     Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
                     Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"Ubiquiti Networks develops high-performance networking
technology for service providers and enterprises. Our technology
platforms focus on delivering highly advanced and easily deployable
solutions that appeal to a global customer base in underserved and
underpenetrated markets."

Source: http://ir.ubnt.com/


Business recommendation:
------------------------
SEC Consult recommends to perform a thorough security review conducted by
security professionals to identify and resolve all security issues.


Vulnerability overview/description:
-----------------------------------
1) Reflected Cross Site Scripting (XSS)
This vulnerability is present on the following devices:
TS-16-CARRIER, TS-5-POE, TS-8-PRO - v1.3.3 (SW)
PicoStation2, PicoStation2HP      - v4.0.4 (XS2) (End of Life)

Ubiquiti does not properly encode parameters which are reflected on the
login page of the devices. This leads to cross site scripting. An attacker
can abuse these vulnerabilities to steal cookies from the attacked user in
order to login remotely on the device.
An attacker is also able to perform actions in the context of the attacked user.

2) Cross Site Request Forgery (CSRF) - HackerOne #73289
Ubiquiti implemented CSRF protection tokens in POST requests which are sent
in context of the tabs "system" and "network" but they did not implement
tokens in GET requests or other POST requests. Therefore an attacker is
able to call "cgi" scripts by luring the attacked user to click on a crafted
link.
This vulnerability was found earlier by another bug bounty participant
on HackerOne. It was numbered with #73289. The status of this bug is unknown.


Proof of concept:
-----------------
The vendor considers this as low priority, hence there is no fix available and a
date for a patch has not been defined by the vendor.

The proof of concept has been removed from this advisory.


Vulnerable / tested versions:
-----------------------------
The following devices and firmware versions have been tested:
TS-8-PRO                     - v1.3.3 (SW)   - (CSRF, XSS)
PicoStation2, PicoStation2HP - v4.0.4 (XS2)  - (CSRF, XSS) (End of Life)
(Rocket) M5                  - v5.6.9/v6.0 (XM)   - (CSRF)
(PicoStationM2HP) PICOM2HP   - v5.6.9/v6.0 (XM)   - (CSRF)
(NanoStationM5) NSM5         - v5.6.9/v6.0 (XM)   - (CSRF)


Based on information embedded in the firmware of other Ubiquiti products
gathered from our IoT Inspector tool for automated firmware analysis
we believe the following devices are affected at least by CSRF as well:

Ubiquiti Networks AF24 (Version: AF24 v3.2)
Ubiquiti Networks AF24HD (Version: AF24 v3.2)
Ubiquiti Networks AF-2X (Version: AF2X v3.2 )
Ubiquiti Networks AF-3X (Version: AF3X v3.2)
Ubiquiti Networks AF5 (Version: AF5 v3.2)
Ubiquiti Networks AF5U (Version: AF5 v3.2)
Ubiquiti Networks AF-5X (Version: AF5X v3.2.1)
Ubiquiti Networks AG-PRO-INS (Version: AirGWP v1.1.7)
Ubiquiti Networks airGateway (Version: AirGW v1.1.7)
Ubiquiti Networks airGateway-LR (Version: AirGW v1.1.7)
Ubiquiti Networks AMG-PRO (Version: AirGWP v1.1.7)
Ubiquiti Networks LBE-5AC-16-120 (Version: WA v7.2.4)
Ubiquiti Networks LBE-5AC-23 (Version: WA v7.2.4)
Ubiquiti Networks LBE-M5-23 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks NBE-5AC-16 (Version: WA v7.2.4)
Ubiquiti Networks NBE-5AC-19 (Version: XC v7.2.4)
Ubiquiti Networks NBE-M2-13 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks NBE-M5-16 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks NBE-M5-19 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-5AC-300 (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-300-ISO (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-400 (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-400-ISO (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-500 (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-500-ISO (Version: XC v7.2.4)
Ubiquiti Networks PBE-5AC-620 (Version: XC v7.2.4)
Ubiquiti Networks PBE-M2-400 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-M5-300 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-M5-300-ISO (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-M5-400 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-M5-400-ISO (Version: XW v5.6.9/v6.0)
Ubiquiti Networks PBE-M5-620 (Version: XW v5.6.9/v6.0)
Ubiquiti Networks R5AC-Lite (Version: XC v7.2.4)
Ubiquiti Networks R5AC-PRISM (Version: XC v7.2.4)
Ubiquiti Networks R5AC-PTMP (Version: XC v7.2.4)
Ubiquiti Networks R5AC-PTP (Version: XC v7.2.4)
Ubiquiti Networks RM2-Ti (Version: XW v5.6.9/v6.0)
Ubiquiti Networks RM5-Ti (Version: XW v5.6.9/v6.0)


Vendor contact timeline:
------------------------
2016-11-22: Contacting vendor via HackerOne
2016-11-22: Vendor responds that XSS is out-of-scope and marked CSRF
            as duplicate to: #73289
2016-11-23: Asking the vendor for a patch of #73289 and why XSS
            is out-of-scope.
2016-11-25: Vendor responds that "#73289 may not be fixed for next release,
            probably in the next development cycle" and XSS is out-of-
            scope since it was found in legacy firmware.
2016-11-25: Asking for an estimated time frame for a fix of #73289
            and whether we can publish the XSS.
2016-11-25: Vendor did not notice the affected TS-* products and
            re-evaluates & confirms the found XSS. #73289 should be
            released in the next stable version.
            Vendor can not give a precise date.
2017-01-10: Asking the vendor for a patch and defined release of the
            advisory for 2017-01-16 (concerning the SEC Consult
            disclosure policy). Shifted the deadline to 2017-01-30
            due to Christmas holidays; No answer.
2017-01-17: Asking for an update.
2017-01-17: Vendor excuses for the delay and responds that as this
            issue is a low threat, there is no any estimated time of
            arrival for new firmware at the moment.
2017-01-25: Informed the vendor that the advisory will be published on
            2017-01-30 including the HackerOne reference number for the
            CSRF and that the PoC will be removed.
2017-01-30: Public release of advisory


Solution:
---------
There is no fix available from the vendor yet as they consider it as low
priority. Check the vendor's website for future updates.


Workaround:
-----------
No workaround


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF T. Weber / @2017


Download attachment "smime.p7s" of type "application/pkcs7-signature" (3993 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ