Fwd: CVE IDs for two(?) older Ubiquiti vulnerabilities VU#557129

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Fwd: CVE IDs for two(?) older Ubiquiti vulnerabilities VU#557129

Art Manion

I've used this/these Ubiquiti vulnerabilities as examples of the lack of CVE IDs leading to lack of awareness of the need to take action.  Here's the message I sent Ubiquiti this week, no response from them yet.

As a CNA of sometimes last resort, CERT/CC is planning to submit one (or two) CVE IDs to cover these vulnerabilities.  I think the second (CVE-2016-yyyy) is pretty clear.

Pinging the Board for any input, material or procedural, before moving forward.

Thanks,

  - Art


-------- Forwarded Message --------
Subject: CVE IDs for two(?) older Ubiquiti vulnerabilities VU#557129
Date: Mon, 20 Aug 2018 17:28:14 -0400
From: Art Manion <[hidden email]>
To: [hidden email]
CC: CERT <[hidden email]>, Common Vulnerabilities & Exposures <[hidden email]>, [hidden email]


Hello,

We're tracking down missing CVE IDs for one or two older Ubiquiti vulnerabilities.  I believe these are distinct vulnerabilities, but can't really tell, so I thought I'd ask directly.


CVE-2015-xxxx

Fixed in 5.5.11.28002

(2015-07-17) https://community.ubnt.com/t5/airMAX-Updates-Blog/Security-Release-for-airMAX-TOUGHSwitch-and-airGateway-Released/ba-p/1300494


CVE-2016-yyyy

Fixed in 5.6.5.29033

(2016-02-13) https://hackerone.com/reports/73480

(2016-04-15) https://www.exploit-db.com/exploits/39701/

(2016-05-13) https://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-UBNT/td-p/1562940

(2016-05-16) https://community.ubnt.com/t5/airMAX-Updates-Blog/Important-Security-Notice-and-airOS-5-6-5-Release/ba-p/1565949

(2016-05-17) https://www.rapid7.com/db/modules/exploit/linux/ssh/ubiquiti_airos_file_upload

(2016-05-25) https://www.exploit-db.com/exploits/39853/


Does this grouping seem right?

Or, since the HackerOne report was filed on 2015-07-01, is the first Ubiquiti blog post on 2015-07-17 talking about the same vulnerability?

Aside from updating the CVE catalog, there's a thread I'm trying to investigate here.  Researcher used bug bounty (good), vendor fixed bug (good), but users didn't notice/act (bad), possibly due to the lack of CVE ID.

Regards,

   - Art






Reply | Threaded
Open this post in threaded view
|

Re: Fwd: CVE IDs for two(?) older Ubiquiti vulnerabilities VU#557129

Art Manion
On 8/23/18 5:34 PM, Art Manion wrote:
>
> I've used this/these Ubiquiti vulnerabilities as examples of the lack of CVE IDs leading to lack of awareness of the need to take action.  Here's the message I sent Ubiquiti this week, no response from them yet.
>
> As a CNA of sometimes last resort, CERT/CC is planning to submit one (or two) CVE IDs to cover these vulnerabilities.  I think the second (CVE-2016-yyyy) is pretty clear.

I'm bad at reading email, Ubiquiti answered me on 8/21 and says they are all the same single vulnerability.  So either CERT/CC or Ubiquiti will submit a CVE entry.

  - Art


> -------- Forwarded Message --------
> Subject: CVE IDs for two(?) older Ubiquiti vulnerabilities VU#557129
> Date: Mon, 20 Aug 2018 17:28:14 -0400
> From: Art Manion <[hidden email]>
> To: [hidden email]
> CC: CERT <[hidden email]>, Common Vulnerabilities & Exposures <[hidden email]>, [hidden email]
>
>
> Hello,
>
> We're tracking down missing CVE IDs for one or two older Ubiquiti vulnerabilities.  I believe these are distinct vulnerabilities, but can't really tell, so I thought I'd ask directly.
>
>
> CVE-2015-xxxx
>
> Fixed in 5.5.11.28002
>
> (2015-07-17) https://community.ubnt.com/t5/airMAX-Updates-Blog/Security-Release-for-airMAX-TOUGHSwitch-and-airGateway-Released/ba-p/1300494
>
>
> CVE-2016-yyyy
>
> Fixed in 5.6.5.29033
>
> (2016-02-13) https://hackerone.com/reports/73480
>
> (2016-04-15) https://www.exploit-db.com/exploits/39701/
>
> (2016-05-13) https://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-UBNT/td-p/1562940
>
> (2016-05-16) https://community.ubnt.com/t5/airMAX-Updates-Blog/Important-Security-Notice-and-airOS-5-6-5-Release/ba-p/1565949
>
> (2016-05-17) https://www.rapid7.com/db/modules/exploit/linux/ssh/ubiquiti_airos_file_upload
>
> (2016-05-25) https://www.exploit-db.com/exploits/39853/
>
>
> Does this grouping seem right?
>
> Or, since the HackerOne report was filed on 2015-07-01, is the first Ubiquiti blog post on 2015-07-17 talking about the same vulnerability?
>
> Aside from updating the CVE catalog, there's a thread I'm trying to investigate here.  Researcher used bug bounty (good), vendor fixed bug (good), but users didn't notice/act (bad), possibly due to the lack of CVE ID.
>
> Regards,
>
>    - Art
>
>
>
>
>
>
>