Pierluigi Paganini July 10, 2023

A Proof-of-Concept (PoC) exploit for the CVE-2023-31998 vulnerability in the Ubiquiti EdgeRouter has been publicly released.

The CVE-2023-31998 flaw (CVSS v3 5.9) is a heap overflow issue impacting Ubiquiti EdgeRouters and Aircubes, an attacker can exploit it to potentially execute arbitrary code and interrupt UPnP service to a vulnerable device.

The flaw resides in the miniupnpd service and can be exploited by a LAN attacker.

The vulnerability affects EdgeRouters 2.0.9-hotfix.6 and earlier and AirCube firmware version 2.8.8 and earlier.

Vulnerability reporting firm SSD Secure Disclosure published technical details for the now patched vulnerability, its experts have developed a proof of concept that was successfully tested against another Ubiquiti device, EdgeRouter-X, whose latest firmware suffers from the same vulnerability.

In order to successfully launch the exploit the following configuration and vulnerability requirements must be met:

Configuration requirements

miniupnpd exposes a dynamic TCP port to LAN clients. This port is discoverable through SSDP, and LAN clients may discover this port. miniupnpd is started through

/etc/init.d/upnpd.

Vulnerability requirements

Configuration of miniupnpd shall allow to add and list external NAT entries. This is the case with the default configuration of miniupnpd.

The researchers warn that vulnerable versions of the MiniUPnPd service may have been shipped with other networking devices.

“This vulnerability, which is reachable from LAN clients, has been fixed in commit a77d1ff9 , but not published as a security vulnerability. As a consequence, it is possible to find a vulnerable miniupnpd on home gateways or 5G dongles. Ubiquiti AirCube contains a vulnerable miniupnpd, and so does Ubiquiti EdgeRouterX for example.” reads the advisory published by SSD Secure Disclosure. “It is likely that other products relying either directly on upstream miniupnpd, or on router distribution such as openwrt , vyos or dd-wrt still ship today with vulnerable miniupnpd.”

Ubiquiti addressed the issue with the release of software updates 2.0.9-hotfix.7 or later for EdgeRouters and software version 2.8.9 or later for Aircubes.

The company pointed out that it is not aware of attacks in the wild exploiting this vulnerability.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ubiquiti)