[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fwd: CVE IDs for two(?) older Ubiquiti vulnerabilities VU#557129

On 8/23/18 5:34 PM, Art Manion wrote:

I've used this/these Ubiquiti vulnerabilities as examples of the lack of CVE 
IDs leading to lack of awareness of the need to take action.  Here's 
the message I sent Ubiquiti this week, no response from them yet.

As a CNA of sometimes last resort, CERT/CC is planning to submit one (or 
two) CVE IDs to cover these vulnerabilities.  I think the second 
(CVE-2016-yyyy) is pretty clear.

I'm bad at reading email, Ubiquiti answered me on 8/21 and says they 
are all the same single vulnerability.  So either CERT/CC or Ubiquiti 
will submit a CVE entry.

 - Art

-------- Forwarded Message --------
Subject: CVE IDs for two(?) older Ubiquiti vulnerabilities VU#557129
Date: Mon, 20 Aug 2018 17:28:14 -0400
From: Art Manion <amanion@cert.org>
To: security-direct@ubnt.com
CC: CERT <cert@cert.org>, Common Vulnerabilities & Exposures 
<cve@mitre.org>, matt@ubnt.com


We're tracking down missing CVE IDs for one or two older Ubiquiti 
vulnerabilities.  I believe these are distinct vulnerabilities, but 
can't really tell, so I thought I'd ask directly.


Fixed in



Fixed in

(2016-02-13) https://hackerone.com/reports/73480

(2016-04-15) https://www.exploit-db.com/exploits/39701/




(2016-05-25) https://www.exploit-db.com/exploits/39853/

Does this grouping seem right?

Or, since the HackerOne report was filed on 2015-07-01, is the first 
Ubiquiti blog post on 2015-07-17 talking about the same vulnerability?

Aside from updating the CVE catalog, there's a thread I'm trying to 
investigate here.  Researcher used bug bounty (good), vendor fixed bug 
(good), but users didn't notice/act (bad), possibly due to the lack of CVE 


   - Art

Page Last Updated or Reviewed: August 30, 2018