https://community.ubnt.com/t5/airMAX-General-Discussion/Unpatched-hole-in-AirOS/m-p/1868447#U1868447
Robert of ubnt committed here On Fri, Mar 17, 2017 at 9:34 AM, Adam Moffett <[email protected]> wrote: > yay > > > ------ Original Message ------ > From: "Jeremy" <[email protected]> > To: [email protected] > Sent: 3/16/2017 9:18:21 PM > Subject: Re: [AFMUG] ubnt airmax php hole > > wow. > > On Thu, Mar 16, 2017 at 7:12 PM, Joe Novak <[email protected]> wrote: > >> The advisory: https://www.sec-consult.com/fxdata/seccons/prod/ >> temedia/advisories_txt/20170316-0_Ubiquiti_Networks_authenti >> cated_command_injection_v10.txt >> >> >> The most concerning part? I quote: >> >> >> Vendor contact timeline: >> ------------------------ >> 2016-11-22: Contacting vendor via HackerOne >> 2016-11-22: Vendor marks it as duplicate to: #143447 >> 2016-11-23: Asking the vendor for a patch. >> 2016-11-25: Vendor responds that #143447 should be fixed for next stable >> release. >> 2016-11-25: Asking for an estimated time frame for a fix of the >> vulnerability. >> 2016-11-25: Vendor can not give a precise date. >> 2017-01-10: Asking the vendor for a patch and defined release of the >> advisory for 2017-01-16 (concerning the SEC Consult >> disclosure policy). Shifted the deadline to 2017-01-30 >> due to Christmas holidays; No answer. >> 2017-01-17: Asked for an update. >> 2017-01-17: Vendor excuses for the delay and responds that they got a >> similar report but our PoC does not work. >> 2017-01-18: Explained PoC again >> 2017-01-19: Vendor responds that they received a similar report and >> assumed a duplication. They state that our PoC never worked >> and did not make any sense. >> 2017-01-20: Uploaded a video which shows a live command injection at an >> up-to-date (v6.0) device and posted an assumed reason why >> it's possible to exploit >> 2017-01-21: Vendor responds that they were able to reproduce it now. They >> also posted the real cause. >> 2017-01-24: Asking whether the vulnerability is a duplicate to #143447. >> 2017-01-24: Vendor responds that it is no duplicate and that this >> issue will be fixed as soon as possible. >> 2017-02-03: Asking for a status update; No answer. >> 2017-02-21: Asking for a status update; No answer. >> 2017-03-01: Informing the vendor that the release of the advisory is set to >> 2017-03-16; No answer. >> 2017-03-16: Public advisory release >> >> >> I don't think that is a very good response, and makes me concerned about >> any other undisclosed security flaws. >> >> On Thu, Mar 16, 2017 at 8:02 PM, Zach Underwood <[email protected]> >> wrote: >> >>> https://www.theregister.co.uk/2017/03/16/ubiquiti_networking_php_hole/ >>> >>> -- >>> Zach Underwood (RHCE,RHCSA,RHCT,UACA) >>> My website <http://zachunderwood.me> >>> advance-networking.com >>> >> >> > -- Zach Underwood (RHCE,RHCSA,RHCT,UACA) My website <http://zachunderwood.me> advance-networking.com
