Ubiquiti Networks Hardcoded Keys / Remote Management

`SEC Consult Vulnerability Lab Security Advisory < 20151105-0 >  
=======================================================================  
title: Insecure default configuration  
product: various Ubiquiti Networks products  
vulnerable version: see Vulnerable / tested versions  
fixed version: none available  
impact: High  
homepage: https://www.ubnt.com/  
found: 2015-08-17  
by: Stefan Viehböck (Office Vienna)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult  
Berlin - Frankfurt/Main - Montreal - Moscow  
Singapore - Vienna (HQ) - Vilnius - Zurich  
  
https://www.sec-consult.com  
=======================================================================  
  
Vendor description:  
-------------------  
Ubiquiti Networks develops high-performance networking  
technology for service providers and enterprises. Our technology  
platforms focus on delivering highly advanced and easily deployable  
solutions that appeal to a global customer base in underserved and  
underpenetrated markets.  
  
Source: http://ir.ubnt.com/  
  
Vulnerability overview/description:  
-----------------------------------  
1) Hardcoded cryptographic keys  
A certificate including its private key is embedded in the firmware of several  
Ubiquiti Networks products. The certificate is used for HTTPS (default server  
certificate for web based management).  
  
Impersonation, man-in-the-middle or passive decryption attacks are possible.  
These attacks allow an attacker to gain access to sensitive information like  
admin credentials and use them in further attacks.  
  
Furthermore searching for the certificate fingerprint in data from internet-wide  
scans is a low-cost way of finding the IPs of specific products/product groups and  
allows an attacker to exploit vulnerabilities at scale.  
  
2) Remote management enabled by default  
The remote management interface is enabled by default. This allows attackers  
to exploit vulnerabilities in the device firmware as well as weak credentials  
set by the user.  
  
Further information can also be found in our blog post:  
http://blog.sec-consult.com/2015/11/the-omnipresence-of-ubiquiti-networks.html  
  
Proof of concept:  
-----------------  
1) Hardcoded cryptographic keys  
OpenSSL text output for the certificate:  
Certificate:  
Data:  
Version: 1 (0x0)  
Serial Number: 13408895465235657399 (0xba15f761dbb7b2b7)  
Signature Algorithm: sha1WithRSAEncryption  
Issuer: C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc.,  
OU=Technical Support, CN=UBNT/[email protected]  
Validity  
Not Before: Jun 2 08:35:02 2011 GMT  
Not After : Jan 1 08:35:02 2020 GMT  
Subject: C=US, ST=CA, L=San Jose, O=Ubiquiti Networks Inc.,  
OU=Technical Support, CN=UBNT/[email protected]  
Subject Public Key Info:  
Public Key Algorithm: rsaEncryption  
Public-Key: (1024 bit)  
Modulus:  
00:be:09:9f:14:3a:f7:ee:e5:8a:c9:76:b2:26:17:  
00:7b:0c:85:1c:94:8e:bd:7f:f5:a1:a5:6d:0a:2c:  
64:cc:7f:78:bc:11:ee:dc:d9:e6:2a:cb:e1:9e:d8:  
17:a6:9c:35:aa:da:c5:c1:3a:a5:48:dc:af:bc:99:  
37:59:7e:88:3c:2c:d3:bb:e7:60:6d:e3:19:f9:4e:  
18:4c:4c:3a:fd:5e:35:6f:a3:50:b9:50:c0:8e:8b:  
fa:a0:ee:c4:96:c5:ba:4e:ed:d8:f1:18:05:36:89:  
54:c2:dc:27:eb:75:74:1c:be:9a:4c:c8:e5:ce:fe:  
47:44:96:a7:af:10:07:eb:15  
Exponent: 65537 (0x10001)  
Signature Algorithm: sha1WithRSAEncryption  
00:5a:31:81:3a:15:6d:30:95:8d:03:91:47:aa:23:e2:b4:c0:  
2e:d4:01:cd:d5:21:6b:69:5e:3c:71:27:10:1c:f5:87:d4:28:  
19:17:c2:3d:ec:36:fd:ee:93:07:8f:0b:30:65:0e:28:35:6c:  
25:9e:d8:24:16:85:65:29:da:47:df:30:09:84:33:2c:b4:b4:  
fa:f0:24:40:b9:ee:1e:f0:1c:33:c3:e1:06:70:2e:6b:fe:a0:  
d0:aa:81:6f:cf:1b:70:67:43:01:32:a0:da:bc:8c:a8:91:f3:  
cb:b1:97:30:04:f2:c6:77:e8:89:97:2c:d3:1f:cf:03:f1:fc:  
36:fa  
  
Certificate:  
-----BEGIN CERTIFICATE-----  
MIICrTCCAhYCCQC6Ffdh27eytzANBgkqhkiG9w0BAQUFADCBmjELMAkGA1UEBhMCV  
VMxCzAJBgNVBAgTAkNBMREwDwYDVQQHEwhTYW4gSm9zZTEfMB0GA1UEChMWVWJpcX  
VpdGkgTmV0d29ya3MgSW5jLjEaMBgGA1UECxMRVGVjaG5pY2FsIFN1cHBvcnQxDTA  
LBgNVBAMTBFVCTlQxHzAdBgkqhkiG9w0BCQEWEHN1cHBvcnRAdWJudC5jb20wHhcN  
MTEwNjAyMDgzNTAyWhcNMjAwMTAxMDgzNTAyWjCBmjELMAkGA1UEBhMCVVMxCzAJB  
gNVBAgTAkNBMREwDwYDVQQHEwhTYW4gSm9zZTEfMB0GA1UEChMWVWJpcXVpdGkgTm  
V0d29ya3MgSW5jLjEaMBgGA1UECxMRVGVjaG5pY2FsIFN1cHBvcnQxDTALBgNVBAM  
TBFVCTlQxHzAdBgkqhkiG9w0BCQEWEHN1cHBvcnRAdWJudC5jb20wgZ8wDQYJKoZI  
hvcNAQEBBQADgY0AMIGJAoGBAL4JnxQ69+7lisl2siYXAHsMhRyUjr1/9aGlbQosZ  
Mx/eLwR7tzZ5irL4Z7YF6acNaraxcE6pUjcr7yZN1l+iDws07vnYG3jGflOGExMOv  
1eNW+jULlQwI6L+qDuxJbFuk7t2PEYBTaJVMLcJ+t1dBy+mkzI5c7+R0SWp68QB+s  
VAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAAFoxgToVbTCVjQORR6oj4rTALtQBzdUh  
a2lePHEnEBz1h9QoGRfCPew2/e6TB48LMGUOKDVsJZ7YJBaFZSnaR98wCYQzLLS0+  
vAkQLnuHvAcM8PhBnAua/6g0KqBb88bcGdDATKg2ryMqJHzy7GXMATyxnfoiZcs0x  
/PA/H8Nvo=  
-----END CERTIFICATE-----  
  
Private Key:  
-----BEGIN RSA PRIVATE KEY-----  
MIICXAIBAAKBgQC+CZ8UOvfu5YrJdrImFwB7DIUclI69f/WhpW0KLGTMf3i8Ee7c2  
eYqy+Ge2BemnDWq2sXBOqVI3K+8mTdZfog8LNO752Bt4xn5ThhMTDr9XjVvo1C5UM  
COi/qg7sSWxbpO7djxGAU2iVTC3CfrdXQcvppMyOXO/kdElqevEAfrFQIDAQABAoG  
AGS2XKQwDC2DYOYcDZW6IvsTS4g2At/S7K5aKUt284SdGbMyHdDVefG8UzoHc6FMr  
/R4NM2O8wGGU2w0Fu1K7Y9rU3ffBT6oL69n1FzL5BWcxoOnoSjuvWZExFy8p8/1BT  
/m0e9jsmGSVmFnniCI/ha7rKRQN+7GT8LsVjliSguUCQQD2B2sbtNSVynhIpdJVnq  
jOAkLGUqX/CNUxgoPc2cC769pB4+iTqy/cRw8N5yY2YO/uTXxjWNeYI4wM3ydciVq  
LAkEAxb1JBfMkNwEVHhEtoVbyLCnbAL/NrmyYHDYep5GHIsyP4kfVnhPCTMNCjBE+  
MRSmtmOiR3JhWA64TTeMzEOk3wJAaQq/y0OIpC+e7X2G8TFdZx+F/QDaiKnvxESyI  
gACjvli5VD2Qt4LACSCo+/126/FoNwKaKxM2FMM/43jU1n9gwJAcbvox3pNJzIBMn  
UQ+M6opkxAwhKQPDYL25YpVZp3zsU4MR++N5kH1d0tZqD4U4ScSyXNjii04tA8o3V  
DD64MowJBANI9Uadjw2fwWJvRtdpbJYOEtb4+pN7isj/lMBlxh/f4APAQRzVACoZR  
kwc9O1CJGXEV9oLEvIavpTJaeQFhw44=  
-----END RSA PRIVATE KEY-----  
  
2) Remote management enabled by default  
Remote management is available via SSH, HTTP and HTTPS.  
  
Vulnerable / tested versions:  
-----------------------------  
This vulnerability is not dependent on specific products/versions. We  
found the certificate and private key in firmware for at least the  
following products:  
AF-5X, AF24, AF24HD, AF5, AF5U, AG-HP-2G16, AG-HP-5G23, AG-HP-5G27, AR,  
AR-HP, AirGrid M2, AirGrid M5, BM2-Ti, BM2HP, BM5-Ti, BM5HP, Bullet 2,  
Bullet 2 HP, Bullet 5, LS2, LS5, LiteStation M5, M2, M3, M365, M5, M900,  
MiniStation2, NB-2G18, NB-5G25, NBE-5AC-19, NBE-M5-16, NBE-M5-19, NBM3,  
NBM365, NBM9, NS2, NS5, NSM2, NSM3, NSM365, NSM5, NanoStation 2 Loco,  
NanoStation 5 Loco, PBE-5AC-500, PBE-5AC-620, PBE-M2-400, PBE-M5-300,  
PBE-M5-400, PBM10, PBM3, PBM365, PBM5, PicoStation2, PicoStation2HP,  
PicoStation5, Power AP N, PowerStation 2, PowerStation 5, R5AC-Lite,  
R5AC-PTMP, R5AC-PTP, RM2-Ti, RM5-Ti, TS-16-CARRIER, TS-5-POE, TS-8-PRO,  
WispStation5, airGateway, airGateway PRO, airGateway-LR, locoM2, locoM5,  
locoM9  
  
Vendor contact timeline:  
------------------------  
2015-08-17: Contacting vendor through [email protected].  
2015-08-17: Auto-response: Vulnerability reports are processed via HackerOne.  
2015-08-18: Reporting vulnerability via HackerOne (#83038, #83039)  
2015-09-22: Vendor responds, enhancement to generate unique certificates will  
be added.  
2015-10-23: HackerOne ticket closed by ubnt  
2015-11-05: No further responses received. Release of the advisory.  
  
Solution:  
---------  
Not available.  
  
Workaround:  
-----------  
1) Hardcoded cryptographic keys  
Generate and import a device-specific certificate.  
  
2) Remote management enabled by default  
Disabled all methods for remote management and use strong passwords.  
  
Advisory URL:  
-------------  
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
SEC Consult Vulnerability Lab  
  
SEC Consult  
Berlin - Frankfurt/Main - Montreal - Moscow  
Singapore - Vienna (HQ) - Vilnius - Zurich  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It  
ensures the continued knowledge gain of SEC Consult in the field of network  
and application security to stay ahead of the attacker. The SEC Consult  
Vulnerability Lab supports high-quality penetration testing and the evaluation  
of new offensive and defensive technologies for our customers. Hence our  
customers obtain the most current information about vulnerabilities and valid  
recommendation about the risk profile of new technologies.  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://www.sec-consult.com/en/Career.htm  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Mail: research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF Stefan Viehböck / @2015  
  
`