Re: Fwd: CVE IDs for two(?) older Ubiquiti vulnerabilities VU#557129

• To: "cve-editorial-board-list@mitre.org" <cve-editorial-board-list@mitre.org>
• Subject: Re: Fwd: CVE IDs for two(?) older Ubiquiti vulnerabilities VU#557129
• From: Art Manion <amanion@cert.org>
• Date: Fri, 24 Aug 2018 16:58:20 -0400
• Authentication-results: spf=neutral (sender IP is 192.52.194.235) smtp.mailfrom=cert.org; imc.mitre.org; dkim=test (signature was verified) header.d=cert.org;imc.mitre.org; dmarc=pass action=none header.from=cert.org;
• Autocrypt: addr=amanion@cert.org; keydata= xsFNBFoV8GMBEACXd7zH23Gx/W77Gr3Hs+n+BTtEt7IP0jU26vM9i4ASGewrIFZaRIOgL964 xX7Qk1wvxLl8HvUomLNHsJIZYG4EKcNkEfREO7lTx/3nYhG3wjF0DcHYuLwUkwAS3N6p9PQ7 bvEsXZMbfG0L8ASgRy0h4dWg+XGV4xT64REsIlzSsclVaHKTvP7FAMCDG70L/2wc+w24RAzs TYhfxLp4w8TBaVj/pONm+EDGVtK5u4LPLpLS0xmlGxgKP9mYSYAF3j44msAsbsuFPfWTa8JU s9yASol4pMECH24Cp3snHlSNHMl1APfVz3Xsfw5x/mekgCAPcGCARhA9ltRHLYgVMr1JCYZW JdyUB0UEiY0xvlb5JYfCFJm4fL8E2xoW/ATmDIxkU0qguL55AD2VYEwbWEsiP725YMSKBDaC cGH9fa2iuSxnflui6wR4K+FOjXfB2nF561q+HjlRb6bahdkYzWccX4fx3dSlZ6w62qRFNKAE 5zUfe2ZHwis9Bx9iqIp7Ini/sZ3ESJgMr7qlSSkYl10Esdl5CyFyxQ5g/LgzOlywdHazju13 /ckVBPo5vz9ZPOmafiUDSz6R/kbC0+nCrJSjIBvDfBWG7Gl2gon4HqB4Ji6r3+gFEFFJl+O/ PwID6Wh0jAjTQWvD+5L/vFTZ3/875Q2OcoxL9Hh4ls5ptg+7uwARAQABzR1BcnQgTWFuaW9u IDxhbWFuaW9uQGNlcnQub3JnPsLBkQQTAQgAOwIbAwIeAQIXgAULCQgHAwUVCgkICwUWAgMB ABYhBBHNrv2hhwlGumhcAVNt4uTRu2rfBQJaFmXUAhkBAAoJEFNt4uTRu2rfY1IP/j8cjh38 B0mnEo0Lk27r/mYRQhj2Yk/ClsAuPWea56BGAswtW2Q6g6DswcinjvTxrycSqAfpj2ZQP9Rx Ib/FsfozF5bC7Ja5/W4amH1NcTr/cE+sgKX3XZcRlOIrw2d0jmS1SAtDWPWn4zTYKoR7cbDz BAAABLb8/xQn7YFgf8nKQ4ZM0yOTUOnF7wG42UU0Y0ww3b+x2/ZMys0ntpz4ZSOgVJlun2xP WgFzkHu/fEJkVTPkZQweRULIGeFJBzuJP46+FMy6PJFZ/ZudzLy/VBMVAxA/yOszLbRvsl6z 3prRMgI+fJF/11ohRVQ5DWzS4AmfnI9RP6aOlUgEi4MYMcbYKrYGwguhGOpdg5iaO6ir4mhd OMcKLeV0ZqSef0ZpXTLQiTzWuFg9ECof5OCK/Y2VQ2EXyWIi7q4OPTFFoZBl2keoF6j0k272 PCYfJZIzq/ER9mfoH1+7nmIxvZ+XXQ6EoCCPv6le8VKQyZOFVgjD5rPvCeGZgAs9CRbfqYNm bF3jqeMk4kZbJ/+GsKv66M4R0VI2DijOLNF1kGXeU6s45lUBZmcT0Fb2MQ78rNItpeUP+XYj fpB0g/woOIstbSoOqpVZf++HIjnmMHj9jJrbFcMVIPac89EDcjbab3zPTMb5LHdk6AxMsWRM QqxofqoqqzNI7RiKisaDQhINXRwAzsBNBFoV8roBCADZKC4LLl6XhVvHCZZIwa9t2e+swdln YRtxwG1TDRxM1PaV7VDzB9K1FMRDC9CQQmiwI+Vl2j0Kn3BUvkCp3zmP+S7CRgK2vfP1GBAs CURE6j6M7S47qOhQvAvJK0qlF14tCBSX16CceGFV0XzfOUnQGt6m8AnVTr7WODilYsJPWUrj xLe3cKQJs7zk3iMLH1lJ7jNXlAQUgrTurVD7sl6PbKgbmDw3tIgXwep7tMOUzpiN4vCPALA+ WYL+0VxE03TZj/FqNzNrjoKXw+X3za675QnLsXww2cgLBV0Zjg3HZVDT5/0LlQjYqPnaWh3s ZG8uRJ104Thx1JVFLN4+8aDrABEBAAHCwXwEGAEIACYWIQQRza79oYcJRrpoXAFTbeLk0btq 3wUCWhXyugIbDAUJBaOagAAKCRBTbeLk0btq3zHYD/4vvS0lul3UKWGeRsVb33Y3eJ1yv4O3 EpBtmkVgCyxdG3zj8YrI15DCzhn6LSN3FqjV+wovE3SsxIrRjn7eoBA6SH54KlFRrW7pAARc NQaHFU+nX6ST6X3pOoNYzhXPZjkxoUpxyC+ehNARx+3tlQ0LScEr0L5Ttvr8W7nopWaXeuCt VI+8tjDnsCtWLaI2bYi3TYWDJdgWzNFSGYioqIxvQHIpokFZAx6fTKtEYaAqqg2cefRDgNoU bMcHmNtVMAXThLdNAx23F/sv2gV9a612ktCwl6hjKu1vuK4KGnhQu1T/oRk5EUA8jy5yBB6/ S5jwYbZR01EriZXSTXwT/gJcThBIXH8i9/4lUwdhV8+iBP/Pomhs8D7dPU7q1fUYlvVxn8iN K7IFoWdptGv+bhdNsf/qWGxVxOHwTAipr73Fl3eC5RovVM2aAK2Bx6xQFXlh4uPcI/S0gIPG tytClYZxtbXKM3qVhUTZgg1Ge6MgtgJkKWttzRciW0N9t5pZ/IbH7ax0NUv2hjHovGBXhuQb cVAEgmx90iyx9iRizCpgr3JyDNtKX+bc26aGI+mFOdiawp2HihhSazqiEpuNrxlQVWgMgmXa RduAg8L9z2CshZ6Zkcmwea79r8yDsBbwfJEZ71T0WWyfm1UcRVflPFAYb9xE8Ulgh8BQzw// z7Y5Lw==
• Delivery-date: Fri Aug 24 17:04:21 2018
• Dkim-filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu w7OKwLKJ004518
• Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1535144301; bh=ECXGkBiXJPZi0aZJ6M2PUcaLOy8nGTI2YJTjNtX2u40=; h=Subject:From:To:References:Date:In-Reply-To:From; b=EOipfXgYUJnoRQ5Zwg12MO3TaY66e119l7NzgwarNtuhAtob9CxLzj+KvmUKdac+O ld65k1bDWw2HicmgeNe0CURN4J/7GX33mR8/9cvnDO07hggzAgaGIYW6tu0NFaJud4 XjWPptUB0SjragGCGIILL5iXSdvpKT/nAhlmhj0k=
• In-reply-to: <fc50a60d-c9b9-1b21-8393-b608645fe7bd@cert.org>
• Openpgp: preference=signencrypt
• References: <ceefcd0e-2ade-dd32-ed83-f7b10622dc8d@cert.org> <fc50a60d-c9b9-1b21-8393-b608645fe7bd@cert.org>
• Spamdiagnosticmetadata: NSPM
• Spamdiagnosticoutput: 1:99
• User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.1

On 8/23/18 5:34 PM, Art Manion wrote:

I've used this/these Ubiquiti vulnerabilities as examples of the lack of CVE 
IDs leading to lack of awareness of the need to take action.  Here's 
the message I sent Ubiquiti this week, no response from them yet.

As a CNA of sometimes last resort, CERT/CC is planning to submit one (or 
two) CVE IDs to cover these vulnerabilities.  I think the second 
(CVE-2016-yyyy) is pretty clear.

I'm bad at reading email, Ubiquiti answered me on 8/21 and says they 
are all the same single vulnerability.  So either CERT/CC or Ubiquiti 
will submit a CVE entry.

 - Art

-------- Forwarded Message --------
Subject: CVE IDs for two(?) older Ubiquiti vulnerabilities VU#557129
Date: Mon, 20 Aug 2018 17:28:14 -0400
From: Art Manion <amanion@cert.org>
To: security-direct@ubnt.com
CC: CERT <cert@cert.org>, Common Vulnerabilities & Exposures 
<cve@mitre.org>, matt@ubnt.com


Hello,

We're tracking down missing CVE IDs for one or two older Ubiquiti 
vulnerabilities.  I believe these are distinct vulnerabilities, but 
can't really tell, so I thought I'd ask directly.


CVE-2015-xxxx

Fixed in 5.5.11.28002

(2015-07-17) 
https://community.ubnt.com/t5/airMAX-Updates-Blog/Security-Release-for-airMAX-TOUGHSwitch-and-airGateway-Released/ba-p/1300494


CVE-2016-yyyy

Fixed in 5.6.5.29033

(2016-02-13) https://hackerone.com/reports/73480

(2016-04-15) https://www.exploit-db.com/exploits/39701/

(2016-05-13) 
https://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-UBNT/td-p/1562940

(2016-05-16) 
https://community.ubnt.com/t5/airMAX-Updates-Blog/Important-Security-Notice-and-airOS-5-6-5-Release/ba-p/1565949

(2016-05-17) 
https://www.rapid7.com/db/modules/exploit/linux/ssh/ubiquiti_airos_file_upload

(2016-05-25) https://www.exploit-db.com/exploits/39853/


Does this grouping seem right?

Or, since the HackerOne report was filed on 2015-07-01, is the first 
Ubiquiti blog post on 2015-07-17 talking about the same vulnerability?

Aside from updating the CVE catalog, there's a thread I'm trying to 
investigate here.  Researcher used bug bounty (good), vendor fixed bug 
(good), but users didn't notice/act (bad), possibly due to the lack of CVE 
ID.

Regards,

   - Art

• References:
  • Fwd: CVE IDs for two(?) older Ubiquiti vulnerabilities VU#557129
    • From: Art Manion <amanion@cert.org>

• Prev by Date: Fwd: CVE IDs for two(?) older Ubiquiti vulnerabilities VU#557129
• Next by Date: CVE Board Meeting Summary - 22 August 2018
• Previous by thread: Fwd: CVE IDs for two(?) older Ubiquiti vulnerabilities VU#557129
• Next by thread: CVE Board Meeting Summary - 22 August 2018
• Index(es):
  • Date
  • Thread