Unifi owners - Patch your stuff!

[OVERKILL]

A level 10 security flaw has been discovered in Unifi Network Application that allows authentication bypass and account takeover:
https://www.bleepingcomputer.com/ne...-unifi-flaw-that-may-enable-account-takeover/

Unifi Network Application 10.1.85 and earlier are vulnerable, and the 10.2 series with 10.2.93 and earlier. If you are still on 9, the affected releases are 9.0.114 and earlier.

From the article, Unifi's own words:

"A malicious actor with access to the network could exploit a Path Traversal vulnerability found in the UniFi Network Application to access files on the underlying system that could be manipulated to access an underlying account,"
Here's the Unifi page:
https://community.ui.com/releases/S...-062-062/c29719c0-405e-4d4a-8f26-e343e99f931b

If you are using modern and supported Unifi products, the default configuration is for them to auto-update at 3:00AM nightly, my UDM-SE is on 10.1.89 already, so I'm already running a patched version.

So, check your stuff!

 

[redhat]

Thanks for this. Just shared with my friends who run UniFi.

Was personally debating between a whole UniFi refresh or VyOS to replace an EdgeRouter X SFP. Ended up going VyOS since it’s almost Vyatta.

 

[Quattro Pete]

Yup. Patched my UDM SE last night.

 

[Rand]

AFAIK:-not a pro
This required local access.
The network app isn't accessible from the WAN side (without using the cloud login. )
Besides the cloud login it IS accessible from the Lan side with direct connection to the local IP
but of course if your 10 year old smart-fridge with no updates for 9 years on your network is taken over..

Updated network app and protect app yesterday.
Today a bunch of device firmware updates(WAPs and UNAS) and OS updates for CGU, UDM pro, Udm Pro SE

 

[OVERKILL]

AFAIK:-not a pro
This required local access.
The network app isn't accessible from the WAN side (without using the cloud login. )
Besides the cloud login it IS accessible from the Lan side with direct connection to the local IP
but of course if your 10 year old smart-fridge with no updates for 9 years on your network is taken over..

Updated network app and protect app yesterday.
Today a bunch of device firmware updates(WAPs and UNAS) and OS updates for CGU, UDM pro, Udm Pro SE

Yes, while the CVE is a "10", it does require local network access to exploit it.

 

[Rand]

I may be abit of a unifi cheerleader.. but dont call me a fanboy.

Just this month they have released major updates and new features.
my most disappointing purchase so far is the UNAS-2 I should have held out for the pro
but it was a good learning experience to figure it all out with their apps and software.
and I do save clips from the cameras to it. Part of the issue is I really need
2 new 14TB or larger hdd.. with current hdd prices ... ugh.

a few months back I would have said it was the UPS 2U, but they added a bunch of features to it and aren't done yet.

I expect them to add custom times for shutdown etc eventually. but at least its usable now.

The u7 pro xgs was also highly improved since the initial release.. but for most no major upgrade from the regular 7 pro wap.
I wanted the metal backplate/heatsink and fanless for my install.(most are fanless early 7 pro had fan iirc)
It was also a slight splurge purchase.

Most unexpected is how good the cameras are on the software side.
the protect software/app is A M A Z I N G.

If anyone has questions or needs equipment recommendations, I'm not a pro but I'd be happy to listen.

 

[Quattro Pete]

Oh wow, nice list. Mine isn't anywhere as long...

And yeah, I've been waiting for a good price on a 14TB WD Purple Pro... no luck.

 

[OVERKILL]

I've been really impressed with their surveillance stuff! From one of our buildings:

 

[Quattro Pete]

I got the 10.2.105 upgrade today.

UniFi Network Application 10.2.105 adds Port Manager Time Machine, improves the Topology, adds Device Supervisor, and includes additional improvements and bugfixes.

https://community.ui.com/releases/U...10-2-105/cf38dace-ce91-4e4a-8ab7-a1d2db30aa55