Experts released PoC exploit for Ubiquiti EdgeRouter flaw

A Proof-of-Concept (PoC) exploit for the CVE-2023-31998 vulnerability in the Ubiquiti EdgeRouter has been publicly released.

The CVE-2023-31998 flaw (CVSS v3 5.9) is a heap overflow issue impacting Ubiquiti EdgeRouters and Aircubes, an attacker can exploit it to potentially execute arbitrary code and interrupt UPnP service to a vulnerable device.

The flaw resides in the miniupnpd service and can be exploited by a LAN attacker.

The vulnerability affects EdgeRouters 2.0.9-hotfix.6 and earlier and AirCube firmware version 2.8.8 and earlier.

Vulnerability reporting firm SSD Secure Disclosure published technical details for the now patched vulnerability, its experts have developed a proof of concept that was successfully tested against another Ubiquiti device, EdgeRouter-X, whose latest firmware suffers from the same vulnerability.

In order to successfully launch the exploit the following configuration and vulnerability requirements must be met:

Configuration requirements

miniupnpd exposes a dynamic TCP port to LAN clients. This port is discoverable through SSDP, and LAN clients may discover this port. miniupnpd is started through

/etc/init.d/upnpd.

Vulnerability requirements

Configuration of miniupnpd shall allow to add and list external NAT entries. This is the case with the default configuration of miniupnpd.

The researchers warn that vulnerable versions of the MiniUPnPd service may have been shipped with other networking devices.

“This vulnerability, which is reachable from LAN clients, has been fixed in commit a77d1ff9 , but not published as a security vulnerability. As a consequence, it is possible to find a vulnerable miniupnpd on home gateways or 5G dongles. Ubiquiti AirCube contains a vulnerable miniupnpd, and so does Ubiquiti EdgeRouterX for example.” reads the advisory published by SSD Secure Disclosure. “It is likely that other products relying either directly on upstream miniupnpd, or on router distribution such as openwrt , vyos or dd-wrt still ship today with vulnerable miniupnpd.”

Ubiquiti addressed the issue with the release of software updates 2.0.9-hotfix.7 or later for EdgeRouters and software version 2.8.9 or later for Aircubes.

The company pointed out that it is not aware of attacks in the wild exploiting this vulnerability.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ubiquiti)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.