Recently, speaking of security holes and gaps, the brunt of alerts and reports seems to come from vendors of hardware equipment. Namely, well-established companies that are vendors of network equipment and other hardware products have been reporting vulnerabilities at a higher frequency than usual. Reports of software vulnerabilities in software that supports network equipment are especially worrying, as network equipment makes up the backbone of private, public, and enterprise business operations.
Ubiquiti Inc.
Regarding network equipment, yet another alarming vulnerability report has surfaced on August 31st, 2021 concerning the UniFi Protect Application. Ubiquiti Inc. has had its fair share of controversy in the past (like run-ins with the government) as well as some hefty security issues including trojans and cloud breaches. The majority of the controversies and issues stem from the fact that Ubiquiti Inc. has worked a great deal with distributors and questionable third parties.
What is UniFi Protect?
The UniFi Protect Application manages several types of devices such as; camera, access control, and storage for video. UniFi Protect is supplied by networking company Ubiquiti Inc. Ubiquiti, established in 2003 and based in the U.S., provides wireless data communication as well as wired solutions for all types of networking. Ubiquiti makes upwards of 1$ billion in revenue and provides a wide range of products that are sold under several brand names. According to the official Ubiquiti website, “UniFi Protect is Ubiquiti’s surveillance camera and video management system for UniFi cameras and security products.” More information reveals that the UniFi Protect software works with the Protect line of cameras, can manage them as well as manage other devices. With UniFi Protect, it is also possible to view camera streams as well as store recordings. Finally, the application allows adding ‘privacy zones’ to each configured camera, enabling smart detection and more. UniFi Protect functions in tandem with the UniFi OS Console hardware provided by Ubiquiti Inc.
The UniFi Protect Vulnerability
On August 31st, 2021 a software vulnerability entry was logged into the public CVE (Common Vulnerabilities and Exposures) database regarding the UniFi Protect Application vulnerability. The vulnerability may allow a remote attacker to elevate privileges and gain entry into the UniFi Protect Application by simply accessing the local network.
Technical Details
Vulnerable Software Versions
The UniFi Protect application (hosted by UniFi OS Consoles) software versions V1.18.1 and earlier are affected by this vulnerability.
Important User Information
It is advisable for users and customers to know that a security fix is available. The fixed version that is available is version 1.19.0. Users should upgrade to the latest version immediately. The fix should be downloaded automatically by the system. Users can also refer to the UniFi Protect download page here, visit the help center here, or contact Ubiquiti via Facebook here.