Hi all,
Please go patch, then come back. We have two controllers - one UDMPro and one Debian VM that has the Unifi software repo in place. Updating through the repo did NOT provide the most recent version of the network app. You must download it separately, or migrate to their Unifi OS installation. I pulled the deb file from here https://fw-download.ubnt.com/data/unifi-controller/1a09-debian-10.1.89-e6115e68-14ea-4a37-9bfc-cd6c09033388.deb
Back to the question.
We have a local UDMPro that manages WiFi for our public visitors. We rely on the portal to force guests to agree to our terms and conditions, so untrusted clients within range of our hotspots will always have access to the UDMPro at some level. To protect against dipshit vulnerabilities like this, I believe the only way to fully segregate controller from userland is to use a third party portal. Would that be true?
Thanks
If you have the guest network setup they should not have access to the admin portal and only access to the captive portal. Without the details I can not say if the captive portal could be a source for the compromise.
Regarding the repo, I actually made a post on the UI forums about it not being updated. But UI seems to not really care, it’s this lack of communication from them that bugs me so much. Their Debian repos are completely broken and they don’t even let us know something is wrong.
I bet some admins just rant apt upgrade and think they are good from this horrible vuln when they aren’t.
Anyway I haven’t used the portal with UI stuff but isn’t it on another port other than the controller? As I understand it, this is just with the controller itself, so the admin panel. If you block 443 and 80 to the UDMP by default (which you should other than on the management VLAN) then I think you’re good to go.
However, they aren’t being clear about everywhere this path traversal can take place so hard to say for sure.
They have not released the details as they are waiting for people to get patched. I agree that their communication has not been great regarding the Debian repos. At this point I would consider those dead and move to their new UniFI OS server. I know there is nothing official that I am aware of from them on the topic, but I feel that is how they are moving forward.