Re: [AFMUG] ubnt airmax php hole

Fri, 17 Mar 2017 06:34:53 -0700 

yay


------ Original Message ------
From: "Jeremy" <[email protected]>
To: [email protected]
Sent: 3/16/2017 9:18:21 PM
Subject: Re: [AFMUG] ubnt airmax php hole


wow.

On Thu, Mar 16, 2017 at 7:12 PM, Joe Novak <[email protected]> wrote:
The advisory: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170316-0_Ubiquiti_Networks_authenticated_command_injection_v10.txt <https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20170316-0_Ubiquiti_Networks_authenticated_command_injection_v10.txt> 


The most concerning part? I quote:
Vendor contact timeline: ------------------------ 2016-11-22: Contacting vendor via HackerOne 2016-11-22: Vendor marks it as duplicate to: #143447 2016-11-23: Asking the vendor for a patch. 2016-11-25: Vendor responds that #143447 should be fixed for next stable release. 2016-11-25: Asking for an estimated time frame for a fix of the vulnerability. 2016-11-25: Vendor can not give a precise date. 2017-01-10: Asking the vendor for a patch and defined release of the advisory for 2017-01-16 (concerning the SEC Consult disclosure policy). Shifted the deadline to 2017-01-30 due to Christmas holidays; No answer. 2017-01-17: Asked for an update. 2017-01-17: Vendor excuses for the delay and responds that they got a similar report but our PoC does not work. 2017-01-18: Explained PoC again 2017-01-19: Vendor responds that they received a similar report and assumed a duplication. They state that our PoC never worked and did not make any sense. 2017-01-20: Uploaded a video which shows a live command injection at an up-to-date (v6.0) device and posted an assumed reason why it's possible to exploit 2017-01-21: Vendor responds that they were able to reproduce it now. They also posted the real cause. 2017-01-24: Asking whether the vulnerability is a duplicate to #143447. 2017-01-24: Vendor responds that it is no duplicate and that this issue will be fixed as soon as possible. 2017-02-03: Asking for a status update; No answer. 2017-02-21: Asking for a status update; No answer. 2017-03-01: Informing the vendor that the release of the advisory is set to 2017-03-16; No answer. 2017-03-16: Public advisory release
I don't think that is a very good response, and makes me concerned about any other undisclosed security flaws.
On Thu, Mar 16, 2017 at 8:02 PM, Zach Underwood <[email protected]> wrote:
https://www.theregister.co.uk/2017/03/16/ubiquiti_networking_php_hole/ <https://www.theregister.co.uk/2017/03/16/ubiquiti_networking_php_hole/> 

--
Zach Underwood (RHCE,RHCSA,RHCT,UACA)
My website <http://zachunderwood.me>
advance-networking.com

Reply via email to