wow. On Thu, Mar 16, 2017 at 7:12 PM, Joe Novak <[email protected]> wrote:
> The advisory: https://www.sec-consult.com/fxdata/seccons/ > prod/temedia/advisories_txt/20170316-0_Ubiquiti_Networks_ > authenticated_command_injection_v10.txt > > > The most concerning part? I quote: > > > Vendor contact timeline: > ------------------------ > 2016-11-22: Contacting vendor via HackerOne > 2016-11-22: Vendor marks it as duplicate to: #143447 > 2016-11-23: Asking the vendor for a patch. > 2016-11-25: Vendor responds that #143447 should be fixed for next stable > release. > 2016-11-25: Asking for an estimated time frame for a fix of the > vulnerability. > 2016-11-25: Vendor can not give a precise date. > 2017-01-10: Asking the vendor for a patch and defined release of the > advisory for 2017-01-16 (concerning the SEC Consult > disclosure policy). Shifted the deadline to 2017-01-30 > due to Christmas holidays; No answer. > 2017-01-17: Asked for an update. > 2017-01-17: Vendor excuses for the delay and responds that they got a > similar report but our PoC does not work. > 2017-01-18: Explained PoC again > 2017-01-19: Vendor responds that they received a similar report and > assumed a duplication. They state that our PoC never worked > and did not make any sense. > 2017-01-20: Uploaded a video which shows a live command injection at an > up-to-date (v6.0) device and posted an assumed reason why > it's possible to exploit > 2017-01-21: Vendor responds that they were able to reproduce it now. They > also posted the real cause. > 2017-01-24: Asking whether the vulnerability is a duplicate to #143447. > 2017-01-24: Vendor responds that it is no duplicate and that this > issue will be fixed as soon as possible. > 2017-02-03: Asking for a status update; No answer. > 2017-02-21: Asking for a status update; No answer. > 2017-03-01: Informing the vendor that the release of the advisory is set to > 2017-03-16; No answer. > 2017-03-16: Public advisory release > > > I don't think that is a very good response, and makes me concerned about > any other undisclosed security flaws. > > On Thu, Mar 16, 2017 at 8:02 PM, Zach Underwood <[email protected]> > wrote: > >> https://www.theregister.co.uk/2017/03/16/ubiquiti_networking_php_hole/ >> >> -- >> Zach Underwood (RHCE,RHCSA,RHCT,UACA) >> My website <http://zachunderwood.me> >> advance-networking.com >> > >
