Read on…
https://www.computerworld.com/article/3181876/security/unpat…
2 Likes
Rainbow,
My browser presented a security risk with the link you provided. Are you sure this is clean?
1 Like
My browser presented a security risk with the link you provided.
computerworld.com is a real site. I went there, searched for ubiquiti, and found the article. It is dated yesterday.
Unpatched vulnerability puts Ubiquiti networking products at risk
An unpatched command injection vulnerability could allow hackers to take over enterprise networking products from Ubiquiti Networks.
The vulnerability was discovered by researchers from SEC Consult and allows authenticated users to inject arbitrary commands into the web-based administration interface of affected devices. These commands would be executed on the underlying operating system as root, the highest privileged account.
Because it requires authentication, the vulnerability’s impact is somewhat reduced, but it can still be exploited remotely through cross-site request forgery (CSRF). This is an attack technique that involves forcing a user’s browser to send unauthorized requests to specifically crafted URLs in the background when they visit attacker-controlled websites.
1 Like
My browser presented a security risk with the link you provided. Are you sure this is clean?
Computerworld.com shows as “insecure” (https issues) so as long as you don’t enter passwords, credit card info, there should be no problem. That said, ignore the link if you are concerned, as I see RHinCTn alreadY posted an excerpt.
My browser presented a security risk with the link you provided. Are you sure this is clean?
Might be clean but their certificate is invalid, they are hosting at fastly.net and using a generic certificate. There could be a screwup with the DNS data:
DNS records
DNS query for 230.192.101.151.in-addr.arpa returned an error from the server: NameError
http://softwaretimes.com/pics/computerworld.jpg
Denny Schlesinger
1 Like
The OP posted a link that started with https. The link will work fine if you use http instead.
1 Like
I would think that a firmware update to the devices would fix the problem. The question is how significant the problem is. Considering how many security vulnerabilities there are in all sorts of devices, I would think that the main issue for customers is how quickly Ubiquity comes out with a fix. With their user community involvement and their product quality, I would expect it to be quick.
1 Like
From the ubiquiti forums, one of their employees has posted this update.
https://community.ubnt.com/t5/airMAX-AC/AirOS-Vulnerability-…
1. UniFi is not affected. This issue is limited to AirOS and associated products (toughswitch,airgateway,etc)
2. The issue has been addressed as follows:
AirOS v8.0.1 — already available since Feb 3, 2017 (release notes here)
AirOS v6.0.1 — released today (release notes here)
AirGateway v1.1.8 - Service release —released today (release notes here)
TOUGHSwitch v.1.3.4 - Service — released today (release notes here)
3. While we acknowledge all vulnerabilities are serious, we believe this issue rates fairly low in terms of threat severity compared to past patched vulnerabilities
…etc
Worth a quick glance.
Vulnerabilities are unfortunately part and parcel with networks. There is no way you can forsee them. That’s why you get updates all the time on, for instance, your smart phones and on windows. So it’s good to see that ubnt does patch them up. It has taken them since November to do this one but it seems it was low on their priority list.
5 Likes
I would think that the main issue for customers is how quickly Ubiquity comes out with a fix.
A “fix” is one thing. Trust is another. Corporate confidence is integral to UBNT’s health. Let’s hope this is not a harbinger of things to come.
We don’t know enough to say whether this particular security problem is a big deal or not, but my feeling after being in the computer industry for many years is that it’s not a serious problem.
I don’t think you’re wrong to think that security is important, but if everybody gave it this much importance, Microsoft would have either had to do a much, much better job with security, or they would have gone under years ago.