BugTraq
SEC Consult SA-20151105-0 :: Insecure default configuration in Ubiquiti Networks products Nov 05 2015 12:49PM
SEC Consult Vulnerability Lab (research sec-consult com)
SEC Consult Vulnerability Lab Security Advisory < 20151105-0 >
=======================================================================
title: Insecure default configuration
product: various Ubiquiti Networks products
vulnerable version: see Vulnerable / tested versions
fixed version: none available
impact: High
homepage: https://www.ubnt.com/
found: 2015-08-17
by: Stefan Viehböck (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
Ubiquiti Networks develops high-performance networking
technology for service providers and enterprises. Our technology
platforms focus on delivering highly advanced and easily deployable
solutions that appeal to a global customer base in underserved and
underpenetrated markets.

Source: http://ir.ubnt.com/

Vulnerability overview/description:
-----------------------------------
1) Hardcoded cryptographic keys
A certificate including its private key is embedded in the firmware of several
Ubiquiti Networks products. The certificate is used for HTTPS (default server
certificate for web based management).

Impersonation, man-in-the-middle or passive decryption attacks are possible.
These attacks allow an attacker to gain access to sensitive information like
admin credentials and use them in further attacks.

Furthermore searching for the certificate fingerprint in data from internet-wide
scans is a low-cost way of finding the IPs of specific products/product groups and
allows an attacker to exploit vulnerabilities at scale.

2) Remote management enabled by default
The remote management interface is enabled by default. This allows attackers
to exploit vulnerabilities in the device firmware as well as weak credentials
set by the user.

Further information can also be found in our blog post:
http://blog.sec-consult.com/2015/11/the-omnipresence-of-ubiquiti-network
s.html

Proof of concept:
-----------------
1) Hardcoded cryptographic keys
OpenSSL text output for the certificate:
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 13408895465235657399 (0xba15f761dbb7b2b7)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc.,
OU=Technical Support, CN=UBNT/emailAddress=support (at) ubnt (dot) com [email concealed]
Validity
Not Before: Jun 2 08:35:02 2011 GMT
Not After : Jan 1 08:35:02 2020 GMT
Subject: C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc.,
OU=Technical Support, CN=UBNT/emailAddress=support (at) ubnt (dot) com [email concealed]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (1024 bit)
Modulus:
00:be:09:9f:14:3a:f7:ee:e5:8a:c9:76:b2:26:17:
00:7b:0c:85:1c:94:8e:bd:7f:f5:a1:a5:6d:0a:2c:
64:cc:7f:78:bc:11:ee:dc:d9:e6:2a:cb:e1:9e:d8:
17:a6:9c:35:aa:da:c5:c1:3a:a5:48:dc:af:bc:99:
37:59:7e:88:3c:2c:d3:bb:e7:60:6d:e3:19:f9:4e:
18:4c:4c:3a:fd:5e:35:6f:a3:50:b9:50:c0:8e:8b:
fa:a0:ee:c4:96:c5:ba:4e:ed:d8:f1:18:05:36:89:
54:c2:dc:27:eb:75:74:1c:be:9a:4c:c8:e5:ce:fe:
47:44:96:a7:af:10:07:eb:15
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
00:5a:31:81:3a:15:6d:30:95:8d:03:91:47:aa:23:e2:b4:c0:
2e:d4:01:cd:d5:21:6b:69:5e:3c:71:27:10:1c:f5:87:d4:28:
19:17:c2:3d:ec:36:fd:ee:93:07:8f:0b:30:65:0e:28:35:6c:
25:9e:d8:24:16:85:65:29:da:47:df:30:09:84:33:2c:b4:b4:
fa:f0:24:40:b9:ee:1e:f0:1c:33:c3:e1:06:70:2e:6b:fe:a0:
d0:aa:81:6f:cf:1b:70:67:43:01:32:a0:da:bc:8c:a8:91:f3:
cb:b1:97:30:04:f2:c6:77:e8:89:97:2c:d3:1f:cf:03:f1:fc:
36:fa

Certificate:
-----BEGIN CERTIFICATE-----
MIICrTCCAhYCCQC6Ffdh27eytzANBgkqhkiG9w0BAQUFADCBmjELMAkGA1UEBhMCV
VMxCzAJBgNVBAgTAkNBMREwDwYDVQQHEwhTYW4gSm9zZTEfMB0GA1UEChMWVWJpcX
VpdGkgTmV0d29ya3MgSW5jLjEaMBgGA1UECxMRVGVjaG5pY2FsIFN1cHBvcnQxDTA
LBgNVBAMTBFVCTlQxHzAdBgkqhkiG9w0BCQEWEHN1cHBvcnRAdWJudC5jb20wHhcN
MTEwNjAyMDgzNTAyWhcNMjAwMTAxMDgzNTAyWjCBmjELMAkGA1UEBhMCVVMxCzAJB
gNVBAgTAkNBMREwDwYDVQQHEwhTYW4gSm9zZTEfMB0GA1UEChMWVWJpcXVpdGkgTm
V0d29ya3MgSW5jLjEaMBgGA1UECxMRVGVjaG5pY2FsIFN1cHBvcnQxDTALBgNVBAM
TBFVCTlQxHzAdBgkqhkiG9w0BCQEWEHN1cHBvcnRAdWJudC5jb20wgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAL4JnxQ69+7lisl2siYXAHsMhRyUjr1/9aGlbQosZ
Mx/eLwR7tzZ5irL4Z7YF6acNaraxcE6pUjcr7yZN1l+iDws07vnYG3jGflOGExMOv
1eNW+jULlQwI6L+qDuxJbFuk7t2PEYBTaJVMLcJ+t1dBy+mkzI5c7+R0SWp68QB+s
VAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAAFoxgToVbTCVjQORR6oj4rTALtQBzdUh
a2lePHEnEBz1h9QoGRfCPew2/e6TB48LMGUOKDVsJZ7YJBaFZSnaR98wCYQzLLS0+
vAkQLnuHvAcM8PhBnAua/6g0KqBb88bcGdDATKg2ryMqJHzy7GXMATyxnfoiZcs0x
/PA/H8Nvo=
-----END CERTIFICATE-----

Private Key:
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQC+CZ8UOvfu5YrJdrImFwB7DIUclI69f/WhpW0KLGTMf3i8Ee7c2
eYqy+Ge2BemnDWq2sXBOqVI3K+8mTdZfog8LNO752Bt4xn5ThhMTDr9XjVvo1C5UM
COi/qg7sSWxbpO7djxGAU2iVTC3CfrdXQcvppMyOXO/kdElqevEAfrFQIDAQABAoG
AGS2XKQwDC2DYOYcDZW6IvsTS4g2At/S7K5aKUt284SdGbMyHdDVefG8UzoHc6FMr
/R4NM2O8wGGU2w0Fu1K7Y9rU3ffBT6oL69n1FzL5BWcxoOnoSjuvWZExFy8p8/1BT
/m0e9jsmGSVmFnniCI/ha7rKRQN+7GT8LsVjliSguUCQQD2B2sbtNSVynhIpdJVnq
jOAkLGUqX/CNUxgoPc2cC769pB4+iTqy/cRw8N5yY2YO/uTXxjWNeYI4wM3ydciVq
LAkEAxb1JBfMkNwEVHhEtoVbyLCnbAL/NrmyYHDYep5GHIsyP4kfVnhPCTMNCjBE+
MRSmtmOiR3JhWA64TTeMzEOk3wJAaQq/y0OIpC+e7X2G8TFdZx+F/QDaiKnvxESyI
gACjvli5VD2Qt4LACSCo+/126/FoNwKaKxM2FMM/43jU1n9gwJAcbvox3pNJzIBMn
UQ+M6opkxAwhKQPDYL25YpVZp3zsU4MR++N5kH1d0tZqD4U4ScSyXNjii04tA8o3V
DD64MowJBANI9Uadjw2fwWJvRtdpbJYOEtb4+pN7isj/lMBlxh/f4APAQRzVACoZR
kwc9O1CJGXEV9oLEvIavpTJaeQFhw44=
-----END RSA PRIVATE KEY-----

2) Remote management enabled by default
Remote management is available via SSH, HTTP and HTTPS.

Vulnerable / tested versions:
-----------------------------
This vulnerability is not dependent on specific products/versions. We
found the certificate and private key in firmware for at least the
following products:
AF-5X, AF24, AF24HD, AF5, AF5U, AG-HP-2G16, AG-HP-5G23, AG-HP-5G27, AR,
AR-HP, AirGrid M2, AirGrid M5, BM2-Ti, BM2HP, BM5-Ti, BM5HP, Bullet 2,
Bullet 2 HP, Bullet 5, LS2, LS5, LiteStation M5, M2, M3, M365, M5, M900,
MiniStation2, NB-2G18, NB-5G25, NBE-5AC-19, NBE-M5-16, NBE-M5-19, NBM3,
NBM365, NBM9, NS2, NS5, NSM2, NSM3, NSM365, NSM5, NanoStation 2 Loco,
NanoStation 5 Loco, PBE-5AC-500, PBE-5AC-620, PBE-M2-400, PBE-M5-300,
PBE-M5-400, PBM10, PBM3, PBM365, PBM5, PicoStation2, PicoStation2HP,
PicoStation5, Power AP N, PowerStation 2, PowerStation 5, R5AC-Lite,
R5AC-PTMP, R5AC-PTP, RM2-Ti, RM5-Ti, TS-16-CARRIER, TS-5-POE, TS-8-PRO,
WispStation5, airGateway, airGateway PRO, airGateway-LR, locoM2, locoM5,
locoM9

Vendor contact timeline:
------------------------
2015-08-17: Contacting vendor through security (at) ubnt (dot) com. [email concealed]
2015-08-17: Auto-response: Vulnerability reports are processed via HackerOne.
2015-08-18: Reporting vulnerability via HackerOne (#83038, #83039)
2015-09-22: Vendor responds, enhancement to generate unique certificates will
be added.
2015-10-23: HackerOne ticket closed by ubnt
2015-11-05: No further responses received. Release of the advisory.

Solution:
---------
Not available.

Workaround:
-----------
1) Hardcoded cryptographic keys
Generate and import a device-specific certificate.

2) Remote management enabled by default
Disabled all methods for remote management and use strong passwords.

Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Stefan Viehböck / @2015

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWO1BDAAoJEC0t17XG7og/3EoP/0Ol0oEa+57aBDuaQr6PcskN
y3cW4LeR2mJj41gw/WalMpA2aYFc2Wr41L74yn7dm7slh1Jy3NOi60kuipjRW2qT
AzbC6nga9QUJtGoWp3jdchxmYdarxPM+8a7SdSwCk9O/hgwnB8j0xATG/8fN25ml
g8JAWLKBNlNxfB0uXdQ2RAzU6a871UwfAXu9ggL+dXGLVaNQvhSK2luTBkZdB4uA
apOmtyqu4Qn+qEoz0jUbttZr0Lww3z+XJe/HvBl1YoLXGl7WDa0WEorJonPUgk4F
Y9T7Zwb3tnfVLcF0B5DSWCS0Mzkx8Q56ZyG4Hl7+N382TpP3CiOU81dbwGaeYTTY
AQ3XUcd2lbu0RleMb4w1EyKqIoKfjvkk5ZtlZnfQCYvj8h5PejBcyNBOdGeY3UeR
eNKNPUUIn9LhkGhO3I9JHxzVta8xVVu79BhfiGldODlVfKvzaz1/aI5rdasnYxXf
CfMzWqi61xVsmUvSaZUyoTQRr+ScOvleGC+mrmhnns0xaWWQV5tt6ZjSJmyflNcB
CLIDCJj7PRLUHsjN6bFvAORStLUoIHnXrW8OSg/M9bTJ3UHEWN5NOV0qxcIuuHue
dKEAMdTuV6RP7cOBFGFzm3HuZwCjwYeDJcbf0Wq1QAYU3mhgMsa9nFH0s/U9Y3fe
lS7FBnza4840j10N0PK+
=ivlk
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus