CVE-2022-44565 - UBNT AirOS - Improper Access Validation

Kicking off the new year, is my first offical bug bounty and CVE that was reported early last year.

Vulnerability

Whilst investigating the available API endpoints on the UBNT AirMAC AC devices, it appeared a bug was introduced that disabled the access validation if a trailing / was added to the URI for the various API endpoints.

This impacts at least the following endpoints;

  • /status.cgi
  • /signal.cgi
  • /glogo.cgi
  • /hist-stats.cgi

Auth Required curl -k https://192.168.1.20/status.cgi

No Auth Required curl -k https://192.168.1.20/status.cgi/

Impact

Information disclosure, may contain sensitive information such as but not limited to;

  • IP Address of connected stations
  • MAC Address of connected stations
  • Firmware versions of both AP and connected stations
  • Hostnames of connected stations (WISPs may use customer name/address as hostnames)
  • Resource information of AP and connected stations

Investigation

Reviewing the various firmware versions it was determined this bug was introduced in 8.7.4, analysis of this firmware indicated the API endpoints are compiled LUA scripts and the lighttpd server version was upgraded.

Outcomes

After submitting the bug report to UBNT they began to patch all impacted products and was fully resolved and published on the 7th December 2022 in the Security Advisory Bulletin 027

It was also discovered that this issue impacted the airFiber 60 and GBE product lines as well

Affected Products:

airMAX AC (8.7.4 - 8.7.11)

airFiber 60/LR

airFiber 60 XG/HD

GBE

Mitigation:

Update your airMAX AC to Version 8.7.11 or later.

Update your airFiber 60/LR to Version 2.6.2 or later.

Update your airFiber 60 XG/HD to Version 1.0.0 or later.

Update your GBE to Version 1.4.1 or later.