CVE-2020-27888

Ubiquiti UniFi Beachhead

thescobberLeave a comment

CVE-2020-27888

The UniFi range of products includes switches, access points and routers. I have recently come across a interesting quirk with how the wireless repeater mode works.

As you may or may not be aware, you can extend your network footprint automatically with UniFi access points. They will when enabled automatically peer access points together. In an effort to establish a virtual cable and keep the network segment connected. I have recently observed two instances with my own UniFi network that could be a show stopper.

  1. When a access point device is installed in a location, powered on and connected to the network. While it is not adopted to a controller (the process of exchanging authentication information). It will wait in limbo for a controller to arrive, and adopt it.
    The problem with this is, if the access point is connected to the private network its possible to adopt it wirelessly. Adopting the access point is a straightforward process. Bring an access point near, and click adopt.
    This will provide connectivity to everything on the access points ethernet socket.
  2. When a access point is removed it is possible to use it to gain access to the network. When it returns within range it will automatically change into wireless uplink mode. And provide connectivity to everything on the access points ethernet socket.

So, when #2 occurs. If a access point is stolen. UniFi has a mechanism to deal with revoking permissions. However if you forget the device while it is in a disconnected state. The access point will not be ‘reset to factory’ automatically. It will continue to perform its meshing duties all the while maintaining ‘managed by other’ state.

Detecting such an attack like #1 would be your devices will appear “managed by other”.
Detecting such an attack like #2 would be to have rogue AP’s detection enabled. Because this does trigger the Rogue AP prompt. In your UniFi console. Only while the device is connected will it say managed by other.

In both these scenarios. There is full ethernet transit enabled. and the entire network is functioning normal.

What mitigations I would like to see from Ubiquiti?

Disable the radio after a period of time waiting to be adopted. power cycling it should reset the timer on the wireless adoption sequence.

Incorporate a mechanism for an administrator to ‘roll’ (automatically or manually). The meshing keys on the access points. this way the credential caching issue should not persist forever.