So Last week it was made public a vulnerability in the AirMAX firmware that allowed for remote command execution affected some of their AirMAX products. I came across it via This Link on Spiceworks, now at first glance I was very concerned, but when digging in it seems that the issue lies less with the actual vulnerability and more of how Ubiquiti seems to have responded. If you take a look through the Spiceworks post it would appear the timeline went something like this: Vulnerability discovered –> Ubiquiti notified –> Ubiquiti misunderstands the issue to be a duplicate of an existing issue –> There was back and forth for a few months noticing Ubiquiti that it was not a duplicate and there was not much for response –> The vulnerability was made public –> people are freaking out.
In the above link a Ubiquiti rep outlined the steps that need to take place to take advantage of the exploit which are below.
1. Attacker is already read-only user (so admin probably know them).
2. airOS device is directly on the internet (not firewalled at all).
3. read-only user does the command injection.
4. read-only user makes link to trick admin of device.
5. read-only user successfully tricks admin user to click on the link.
6. admin user must be logged into airOS device at time of clicking on link, for all above to work 7. If all 6 above work out, the read-only user will get admin-level access.
So as you can see, not impossible, but it would appear a lot of things need to fall into place for this one and in doing some research Ubiquiti has addressed the issue in their next patch see the notes at This Link. but what makes me a little nervous is after 1-24-17 until before the vulnerabilities was made public there were repeated attempts to get a status update from Ubiquiti but there was no response for almost 2 months. I think if there had been a little more communication and this would have likely been a non event.
Now to be fair I do like Ubiquiti equipment I believe it serves great in bringing advanced features to small businesses at affordable prices, and this will not make me shy away from any use cases I have for Ubiquiti products in the future as they are ultimately addressed the issue, but I do feel this situation has great learning potential for Ubiquiti to make sure they cover there bases when people are asking questions, time will tell if they choose to learn from it.
It has been pointed out from a Ubiquiti rep on the Spiceworks post linked above that Ubiquiti does have a bug bounty program which it seems this was discovered through, so at the end of the day kudos to them for investing in a bug bounty program because who knows how many holes may have gone un-patched without it.
To wrap this up, Ubiquiti is a fairly young company with a good product but as the bug bounty program shows it does not come without its flaws, Ubiquiti has done a pretty good job so far to keep their product as up to date as possible and shows that they care about the security of their product with the fact they have a bug bounty program and that seems promising for the future of the company. How Ubiquiti learns from these stumbles will determine how long they will stay in the market and how they will grow