Ubiquiti UbiFi Controller 2.4.5 Password Hash Disclosure

Type packetstorm
Reporter Seth Art
Modified 2014-07-25T00:00:00


Ubiquiti Networks (http://www.ubnt.com/)  
Affected Products/Versions:  
UniFi Controller v2.4.6  
Note: Previous versions may be affected  
Title: Admin/Root password hash sent via syslog messages  
CVE: CVE-2014-2226  
CWE: http://cwe.mitre.org/data/definitions/319.html  
Detailed writeup: http://sethsec.blogspot.com/2014/07/cve-2014-2226.html  
Researcher: Seth Art - @sethsec  
If remote logging is enabled on the UniFi controller, syslog messages  
are sent to a syslog server. Contained within the syslog messages is  
the admin password that is used by both the UniFi controller, and all  
managed Access Points. This CVE was assigned as there is no utility  
for sending the admin password hash via syslog messages.  
Not Applicable.  
UniFi Controller - Upgrade to UniFi Controller v3.2.1 or greater  
Disclosure Timeline:  
2014-02-16: Notified Ubiquiti of vulnerabilities in UniFi and mFi products  
2014-02-17: Ubiquiti acknowledges and requests details  
2014-02-17: Report with POC sent to Ubiquiti  
2014-02-19: Asks Ubiquiti to confirm receipt of report  
2014-02-19: Ubiquti confirms receipt of report and existence of the  
2014-02-28: CVE-2014-2226 assigned  
2014-03-12: Requested status update  
2014-03-27: Requested status update  
2014-04-07: Requested status update  
2014-04-09: Ubiquiti provides timeline for solution  
2014-05-30: Requested status update  
2014-06-12: Requested status update  
2014-06-12: UniFi 3.2.1 is released  
2014-06-13: Set public disclosure date of 2014-07-24  
2014-07-24: Public disclosure