Log4j Puts Vulnerable Ubiquiti Network Applications at RiskCritical Vulnerability Enables Malicious Actors to Control Applications
A customized exploit for the Log4j vulnerability is targeting Ubiquiti's UniFi Network applications, according to cybersecurity researchers.
Developed by Ubiquiti Networks, UniFi Network can be installed on a Windows, macOS or Linux device, where it can be used to help set up and manage UniFi Network devices as well as provide full oversight and control of a network's traffic, security and wireless performance.
Researchers at security firm Morphisec first detected a successful exploitation of this vulnerability on Jan. 20. But a proof of concept of the attack for the exploitation of UniFi Networks was released a month prior by security firm Sprocket Security (see: Log4Shell Update: VMware Horizon Targeted).
A spokesperson for Ubiquiti was not immediately available to comment.
Attacking UniFi Network
Tracked as CVE-2021-44228, in a UniFi Network Application, the vulnerability has a CVSS score of 10 and allows a malicious actor to perform remote code execution.
The vulnerability affects Version 6.5.53 and earlier. UniFi released a patch on Dec. 10 and fixed the issue in the UniFi Network Version 6.5.54 and later.
Kev Breen, director of cyberthreat research at Immersive Labs, says that Ubiquiti had released updates to all of its vulnerable components, so this attack is only effective against devices that have not been updated.
Breen says attackers watch for researchers releasing proof-of-concept scripts. "As these POC scripts are typically fairly simple exploit commands, it takes time for more capable attackers to refine them into something they can use at scale," he says, which "should give network defenders a small advantage in the race between organizations patching and threat groups weaponizing."
The UniFi Network Application software suite can also be installed natively on Linux and Windows or within a Linux Docker container. The researchers at Sprocket Security opted for a Docker installation for their work as it had the most limited toolset available on the operating system and a restricted environment. They say: "Assuming a limited shell and local setup will make the attack path and post-exploitation steps most reproducible in real-work scenarios. The application is most commonly hosted on port 8443 via HTTPS."
The Morphisec researchers say that the unique quality of the attack is that the command-and-control server is correlated to a previous SolarWinds attack, as reported by CrowdStrike, even before the Log4j issue was reported.
The versions prior to 6.5.54 are vulnerable to remote code execution, the Morphisec researchers say, to explain why they selected version 6.4.54 to attack. They say that the vulnerability is in the "rememberme" (or in some versions the username) value issued in the login request.
Nicholas Anastasi, a penetration tester at Sprocket Security, tells Information Security Media Group that it appears to be a custom exploitation path by the threat actors. He recommends that users and organizations "refrain from exposing administrative login panels to the internet whenever possible to reduce risk."
The Morphisec researchers identified an in-memory Cobalt Strike Beacon dropped by the base64 encoded reverse tcp powershell script, which was communicating with 179.60.150[.]32.
Upon having a reverse shell, Anastasi says, "You'll quickly find you aren't in the 'operating as root.' We've done some research, and this seems to always to be the case, outside some of some fringe configurations."
After further analysis, the Sprocket Security researchers found out that the MongoDB instance storing all application information is listening on localhost without authentication, which means, if an attacker has shell access, they can read from and make modifications to the local MongoDB instance.
This action can lead to extraction of the password hashes for administrative accounts and facilitate an attempt to crack them, reset the password for an administrative user and add their own shadow admin to provide access to the administrative console.
"The first and third options are the most attractive as they theoretically provide access to the administrative console long after any patch is implemented and does not arouse suspicion," Anastasi says. "Once we have administrative access, we can quickly establish persistence and laterally move inside the network. In every Docker and bare metal install, we've seen the MongoDB command-line utility available, which makes the following attack paths possible in almost all environments."
Also, an attacker can perform lateral movement into the affected system, as it is difficult to detect that an additional administrative account was added. The Sprocket Security researchers says that there is no notification presented, and the IT team will have to navigate pretty deep into the system configuration options to see the new account.
Ross Higgins, penetration tester at IT Governance, a part of GRC International Group, says the Log4j remote code execution vulnerability has been identified across many different vendors and products and that successful exploitation of this particular instance affecting the UniFi Network Application could allow further attacks against the internal network through the creation of port forwarding rules and the extraction of credentials, which may be hard to detect.
"Exploitation is easy, effective and efficient. The process of adding administrative users ... can easily be automated using a compiled language like Go. An attacker would need to create a binary storing all needed dependencies that can be dropped to disk and executed. A tool like this could easily proxy traffic into the internal companies network and also make updates to the MongoDB instance without any human interaction," Anastasi says.
Anastasi says users can mitigate this issue by updating their instances of UniFi Network Application to the patched version - 6.5.54.
He also recommends that users disable public access to this application because of the implications associated with exploitation.
"If you need to expose the administrative interface, implement IP whitelisting to allow only IT administrators access to the admin console," Anastasi says.
He also says that he hopes that in the upcoming releases, Ubiquiti will add authentication to prevent the post-exploitation steps.
"During design, the lack of MongoDB auth was most likely considered an acceptable risk by developers. We think Ubiquiti should reconsider the implications and opt to add some form of authentication that prevents an attack similar to the one we laid out."
Breen says people and organizations still struggle with effective patching, especially when it comes to less obvious targets such as network and IoT devices in office environments.
"We are well-attuned to automatically applying updates to our Windows desktops and servers, but applying a patch to the small disc hanging from the ceiling is an easy thing to overlook," he says. "Log4j is the perfect example of why organizations must maintain an active record of all the hardware and software they use, along with appropriate, enforceable patching policies for each, and why your patching policies mustn't be left on a shelf to gather dust."
Log4j Not Going Away
Breen says to expect attacks similar to this one throughout 2022, as the Log4j component is so deeply embedded into so many software components that it presents a large - and very attractive - target. As it can be difficult to determine exactly where and how it's used, many organizations are reportedly sending out requests to vendors, asking them to confirm their exposure and patch status.
Andy Norton, European cyber risk officer at Armis, says Log4Shell attacks are likely, not just because instances are numerous but also because they are difficult to identify since Log4j is a subcomponent of many applications and may or may not be switched on.
"It is vital to monitor for changes in activity of your devices; compromised devices will behave in a way they have never behaved before. Having access to the collective intelligence that spots these changes could well be the difference between repelling or succumbing to an attack," Norton says.
John Goodacre, director of UKRI's Digital Security by Design and a professor of computer architectures at the U.K. University of Manchester, says the continued use of known vulnerabilities shows the complexity that both system administrators and software suppliers need to keep up with and patch. He suggests that in the future, hardware will help protect software from exploitation by design, and developers will have additional tools and capabilities that bring down the costs of delivering products secured by default.