| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 20 Mar 2017 14:40:28 +0000 From: Carlos Silva <r3pek@...ek.org> To: SEC Consult Vulnerability Lab <research@...-consult.com> Cc: fulldisclosure@...lists.org, bugtraq@...urityfocus.com Subject: Re: [FD] SEC Consult SA-20170316-0 :: Authenticated command injection in multiple Ubiquiti Networks products Hi. On Thu, Mar 16, 2017 at 11:35 AM, SEC Consult Vulnerability Lab <research@...-consult.com> wrote: > > SEC Consult Vulnerability Lab Security Advisory < 20170316-0 > > ======================================================================= > title: Authenticated Command Injection > product: Multiple Ubiquiti Networks products, e.g. > TS-16-CARRIER, TS-5-POE, TS-8-PRO, AG-HP-2G16, > AG-HP-2G20, AG-HP-5G23, AG-HP-5G27, AirGrid M, > AirGrid M2, AirGrid M5, AR, AR-HP, BM2HP, BM2-Ti, > BM5HP, BM5-Ti, LiteStation M5, locoM2, locoM5, > locoM9, M2, M3, M365, M5, M900, NB-2G18, NB-5G22, > NB-5G25, NBM3, NBM365, NBM9, NSM2, NSM3, NSM365, > NSM5, PBM10, PBM3, PBM365, PBM5, PICOM2HP, > Power AP N > vulnerable version: v1.3.3 (SW), v5.6.9/v6.0 (XM) It's supposed to be fixed in SW 1.3.4: https://dl.ubnt.com/firmwares/TOUGHSwitch/v1.3.4/changelog.txt and XW 6.0.1: https://dl.ubnt.com/firmwares/XW-fw/v6.0.1/changelog.txt (don't know about the rest of them) _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists