Latest YouTube Video

Wednesday, October 19, 2016

Re: [FD] Critical Vulnerability in Ubiquiti UniFi

Tim conflates two products in his original report: Product: UniFi AP AC Lite Vendor: Ubiquiti Networks Inc. Internal reference: ? (Bug ID) Vulnerability type: Incorrect access control Vulnerable version: Unify 5.2.7 and possible other versions affected (not tested) [...] Both the UniFi appliance line and the AP management software are properly spelled 'UniFi'. http://ift.tt/1OPzKlx http://ift.tt/21BKwPK UniFi - the AP controller software - does not run on the UniFi AP AC Lite. It's intended as a low-cost replacement for a dedicated AP controller appliance, and it manages - does not run on - Ubiquiti's current AP product line. The current full release version of the UniFi AP controller is 5.2.9. It has a dedicated appliance in the form of the "Cloud Key" - https://www.ubnt.com/ unifi/unifi-cloud-key/ The Cloud Key is a cute little package with some integral flash, a micro SD slot, PoE or USB power, and a MediaTek MT7623 SoC - if the picture is accurate. Its sole purpose in life appears to be running the UniFi controller software. I don't have one to test; the Cloud Key may well configure MongoDB insecurely. I have access to a few other UniFi products, so I looked them over. The self- hosted UniFi controller appears to call MongoDB correctly, at least as of 5.2.9: john@malkovich ~ [0]# pgrep -a mongo 2850 bin/mongod --dbpath /usr/lib/unifi/data/db --port 27117 --logappend

Source: Gmail -> IFTTT-> Blogger

No comments: