Re: [AFMUG] ubnt airmax php hole

Thu, 16 Mar 2017 18:13:12 -0700 

The advisory:
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170316-0_Ubiquiti_Networks_authenticated_command_injection_v10.txt


The most concerning part? I quote:


Vendor contact timeline:
------------------------
2016-11-22: Contacting vendor via HackerOne
2016-11-22: Vendor marks it as duplicate to: #143447
2016-11-23: Asking the vendor for a patch.
2016-11-25: Vendor responds that #143447 should be fixed for next stable
            release.
2016-11-25: Asking for an estimated time frame for a fix of the
            vulnerability.
2016-11-25: Vendor can not give a precise date.
2017-01-10: Asking the vendor for a patch and defined release of the
            advisory for 2017-01-16 (concerning the SEC Consult
            disclosure policy). Shifted the deadline to 2017-01-30
            due to Christmas holidays; No answer.
2017-01-17: Asked for an update.
2017-01-17: Vendor excuses for the delay and responds that they got a
            similar report but our PoC does not work.
2017-01-18: Explained PoC again
2017-01-19: Vendor responds that they received a similar report and
            assumed a duplication. They state that our PoC never worked
            and did not make any sense.
2017-01-20: Uploaded a video which shows a live command injection at an
            up-to-date (v6.0) device and posted an assumed reason why
            it's possible to exploit
2017-01-21: Vendor responds that they were able to reproduce it now. They
            also posted the real cause.
2017-01-24: Asking whether the vulnerability is a duplicate to #143447.
2017-01-24: Vendor responds that it is no duplicate and that this
            issue will be fixed as soon as possible.
2017-02-03: Asking for a status update; No answer.
2017-02-21: Asking for a status update; No answer.
2017-03-01: Informing the vendor that the release of the advisory is set to
            2017-03-16; No answer.
2017-03-16: Public advisory release


I don't think that is a very good response, and makes me concerned about
any other undisclosed security flaws.

On Thu, Mar 16, 2017 at 8:02 PM, Zach Underwood <[email protected]>
wrote:

> https://www.theregister.co.uk/2017/03/16/ubiquiti_networking_php_hole/
>
> --
> Zach Underwood (RHCE,RHCSA,RHCT,UACA)
> My website <http://zachunderwood.me>
> advance-networking.com
>

Reply via email to