[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: CVE IDs for two(?) older Ubiquiti vulnerabilities VU#557129




I've used this/these Ubiquiti vulnerabilities as examples of the lack 
of CVE IDs leading to lack of awareness of the need to take action.  
Here's the message I sent Ubiquiti this week, no response from them yet.

As a CNA of sometimes last resort, CERT/CC is planning to submit one 
(or two) CVE IDs to cover these vulnerabilities.  I think the second 
(CVE-2016-yyyy) is pretty clear.

Pinging the Board for any input, material or procedural, before moving 
forward.

Thanks,

 - Art


-------- Forwarded Message --------
Subject: CVE IDs for two(?) older Ubiquiti vulnerabilities VU#557129
Date: Mon, 20 Aug 2018 17:28:14 -0400
From: Art Manion <amanion@cert.org>
To: security-direct@ubnt.com
CC: CERT <cert@cert.org>, Common Vulnerabilities & Exposures 
<cve@mitre.org>, matt@ubnt.com


Hello,

We're tracking down missing CVE IDs for one or two older Ubiquiti 
vulnerabilities.  I believe these are distinct vulnerabilities, but 
can't really tell, so I thought I'd ask directly.


CVE-2015-xxxx

Fixed in 5.5.11.28002

(2015-07-17) 
https://community.ubnt.com/t5/airMAX-Updates-Blog/Security-Release-for-airMAX-TOUGHSwitch-and-airGateway-Released/ba-p/1300494


CVE-2016-yyyy

Fixed in 5.6.5.29033

(2016-02-13) https://hackerone.com/reports/73480

(2016-04-15) https://www.exploit-db.com/exploits/39701/

(2016-05-13) 
https://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-UBNT/td-p/1562940

(2016-05-16) 
https://community.ubnt.com/t5/airMAX-Updates-Blog/Important-Security-Notice-and-airOS-5-6-5-Release/ba-p/1565949

(2016-05-17) 
https://www.rapid7.com/db/modules/exploit/linux/ssh/ubiquiti_airos_file_upload

(2016-05-25) https://www.exploit-db.com/exploits/39853/


Does this grouping seem right?

Or, since the HackerOne report was filed on 2015-07-01, is the first 
Ubiquiti blog post on 2015-07-17 talking about the same vulnerability?

Aside from updating the CVE catalog, there's a thread I'm trying to 
investigate here.  Researcher used bug bounty (good), vendor fixed bug 
(good), but users didn't notice/act (bad), possibly due to the lack of 
CVE ID.

Regards,

  - Art







Page Last Updated or Reviewed: August 24, 2018