The CVE-2023-31998 flaw (CVSS v3 5.9) is a heap overflow issue impacting Ubiquiti EdgeRouters and Aircubes, an attacker can exploit it to potentially execute arbitrary code and interrupt UPnP service to a vulnerable device.
The flaw resides in the miniupnpd service and can be exploited by a LAN attacker.
The vulnerability affects EdgeRouters 2.0.9-hotfix.6 and earlier and AirCube firmware version 2.8.8 and earlier.
Vulnerability reporting firm SSD Secure Disclosure published technical details for the now patched vulnerability, its experts have developed a proof of concept that was successfully tested against another Ubiquiti device, EdgeRouter-X, whose latest firmware suffers from the same vulnerability.
In order to successfully launch the exploit the following configuration and vulnerability requirements must be met:
Configuration requirements
miniupnpd exposes a dynamic TCP port to LAN clients. This port is discoverable through SSDP, and LAN clients may discover this port. miniupnpd is started through
/etc/init.d/upnpd
.
Vulnerability requirements
Configuration of miniupnpd shall allow to add and list external NAT entries. This is the case with the default configuration of miniupnpd.
The researchers warn that vulnerable versions of the MiniUPnPd service may have been shipped with other networking devices.
“This vulnerability, which is reachable from LAN clients, has been fixed in commit a77d1ff9 , but not published as a security vulnerability. As a consequence, it is possible to find a vulnerable miniupnpd on home gateways or 5G dongles. Ubiquiti AirCube contains a vulnerable miniupnpd, and so does Ubiquiti EdgeRouterX for example.” reads the advisory published by SSD Secure Disclosure. “It is likely that other products relying either directly on upstream miniupnpd, or on router distribution such as openwrt , vyos or dd-wrt still ship today with vulnerable miniupnpd.”
Ubiquiti addressed the issue with the release of software updates 2.0.9-hotfix.7 or later for EdgeRouters and software version 2.8.9 or later for Aircubes.
The company pointed out that it is not aware of attacks in the wild exploiting this vulnerability.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Ubiquiti)
Experts reported that since April, the Phorpiex botnet sent millions of phishing emails to spread…
Apple rolled out urgent security updates to address code execution vulnerabilities in iPhones, iPads, and…
The City of Helsinki suffered a data breach that impacted tens of thousands of students,…
A group of hackers that defines itself as “first-class Russian hackers” claims the defacement of…
Firstmac Limited disclosed a data breach after the new Embargo extortion group leaked over 500GB of…
Pro-Russia hackers targeted government websites in Kosovo in retaliation for the government's support to Ukraine…
This website uses cookies.