This Week In Security: Ubiquiti, Nissan, Zyxel, And Dovecot

You may have been one of the many of us who received an email from Ubiquiti this week, recommending a password change. The email stated that there was an unauthorized access of Ubiquiti systems, and while there wasn’t evidence of user data being accessed, there was also not enough evidence to say emphatically that user data was not accessed. Ubiquiti has mentioned that the database that may have been accessed contains a user’s name, email address, hashed password, and optionally the mailing address and phone number.

Depending on how the Ubiquiti authentication system is designed, that hashed password may be enough to log in to someone’s account. In any case, updating your password would invalidate the potentially compromised hash. This event underscores a complaint voiced by Ubiquiti users: Ubiquiti has been making it difficult to administrate hardware without a cloud-enabled account.

Nissan Source Code

Nissan was hosting a large git repository using Atlassian’s Bitbucket. That install was still using default credentials for the admin account, and someone finally noticed. The researcher who first discovered the issue has remained anonymous, and the primary source for the linked article was caught up in the recent outbreak of Twitter censorship, with an account suspension.

The repository contained code from Nissan mobile apps, marketing information, and code for internal-only services. The 18.4 GB data dump is still available on the darker corners of the internet, via torrent files.

Zyxel Scans Seen by ISC

Remember the Zyxel problem we talked about last week? Well this didn’t take long. The Internet Storm Center (ISC) is reporting that it is already seeing SSH login attempts using those hard-coded credentials.

It’s worth taking a minute to call out the ISC and similar efforts for their invaluable work. The ISC primarily serves as a clearinghouse for data from Intrusion Detection Systems and firewalls around the internet. When new patterns emerge, volunteers watching the data can quickly identify new attacks as they emerge. In some cases, this quick response can give administrators around the world time to patch the vulnerability being targeted before they are compromised.

Dovecot Hibernation

Dovecot has released version 2.3.13, and there is a fix for a notable vulnerability, CVE-2020-24386. IMAP supports an IDLE command, putting the connection to the server in a holding pattern, ready to push real-time mail notifications to the client. The vulnerability allows a client to put its connection in this state, and then send a malicious request to the server. This request can allow for limited filesystem access, most notably the downloading of messages from other accounts. It’s possible to mitigate the flaw through disabling IMAP hibernation, but the recommendation is to simply update to the latest release.

Telegram Triangulation

Telegram is one of the go-to solutions for sending secure messages. Just over a year ago, Telegram introduced “People Near Me”, a feature for finding nearby users who have opted in to the service. If you’ve opted in, you might consider going and turning that feature off. Telegram gives a very precise and accurate distance to anyone else who is within seven miles. That distance updates in real time, which is great for meetups. What might not be immediately obvious is that it’s rather trivial to spoof a device’s location to anywhere in the world. Within a few minutes, it’s possible to precisely locate anyone in the world who has Telegram’s location service turned on. Other services have prevented this problem by giving less precise location data. So far, Telegram has responded that this is not a bug, and it doesn’t plan to make any changes.

How Solarwinds Got Hacked

More details on the Solarwinds backdoor is slowly coming to light. The more information is revealed, the more interesting the story becomes. This week, we got Crowdstrike’s write-up of the malware running on Solarwinds machines. This malware, dubbed Sunspot, isn’t the Orion backdoor itself, it is a custom-written piece of malware that modifies source code surreptitiously at compile time. This brings to mind the old Trusting Trust attack.

Sunspot was written to very carefully hide from detection, and to only take action when it detects code compiling. It checks once a second for  MsBuild.exe, and whether it was building Orion. If it is, it modifies one source code file, waits for compilation to complete, and then undoes the malicious change. A developer would be hard pressed to discover the modification, because it only exists during compilation, while the developer is out getting coffee anyway. We were somewhat skeptical when Solarwinds first called this a “sophisticated and novel” hack, but the evidence seems to affirm that opinion.

27 thoughts on “This Week In Security: Ubiquiti, Nissan, Zyxel, And Dovecot

  1. I’m not an IT guy so help me here:

    “This event underscores a complaint voiced by Ubiquiti users: Ubiquiti has been making it harder to avoid administrating hardware with local only accounts.”

    I’m having trouble parsing this sentence. To me, local-only is preferred. Is this sentence saying (a) IT people agree or disagree with that; and (b) Ubiquiti does or doesn’t support that?

    1. Their devices require internet connection to initially configure and setup. After that they can be administered locally but the cloud access component requires you to register the hardware and tie it to your login for tunneling and remote control/configuration.

      1. It should outright be criminal to design devices that forcefully require internet access in any way, shape or capacity for configuration without a damn valid need for such.

        For example, I had (with emphasis on past tense) a pair of Bose wireless noise canceling headphones I bought on black Friday.
        Turns out they could only be configured by being paired with a Android or is device with internet access with Bose’s configuration app on it.
        And hoo boy, that bose app turned out to be a real personal information slurper.
        Needless to say, after desperately (and failing to) find a big boy pc program to do the configuration without data hoovering (since I was gonna use it exclusively with my computer anyway) I returned it for a refund.

        1. To be honest with their hardware price point it’s kind of understood they’re doing this. There has been multiple occasions though where I preconfigure a dream machine and all the other ubiquity hardware on site before going to an install because I don’t know if the internet will be installed by the time I get there. That way I can still locally set up and configure everything. Most of the time the ubiquity hardware can be configured with just a LAN IP for WAN sometimes not. Most of equity deployments I have also have a dynamic DNS setup and VPN configuration so I can configure them if their cloud service goes down.

      2. I don’t think so, you can install Unifi controller on your PC and use it to configure hardware that requires controller. You can also buy physical device that acts as controller. But it’s good idea to have Internet connectivity so you can update firmware for devices.

        1. As I discovered the hard way, not all Ubiquiti hardware works with the Unifi controller. I did an install with a bunch of access points and an Edgerouter. The APs worked nicely with the controller, but the Edgerouter was considered enterprise hardware, and not supported. I was able to use an offline account, thankfully.

    2. Generally IT people prefer having control of local vs remote. At least having the choice. Suspect most would see the benefits in remote site administration if done right. Issue is that ubnt is making that harder and harder. Sites running their latest gear like the dream machine must be remote admined and there is no longer the option to roll your own L3 controller (eg in aws). We run a few udm pros and it pissed me off at first. To be fair, it seems to work and they support mfa with their single sign on – so meh I guess.

    3. Newer Ubiquti devices can’t be setup *at all* without an online cloud account.
      I used to be a huge UB fan, but this recent change in design and support has soured me.

      Recently I was asked to setup a UDM Pro and a bunch of their cameras for a surveillance system at a farm.
      Internet connectivity doesn’t exist. Ubiquti doesn’t mention it is required now.
      Their support staff refused to accept a return, saying I can take the hardware elsewhere to put online and setup…
      So they had to process a $3k chargeback against them and have the bank block their attempts at reclaiming the money.

      The owner of the farm is a long time friend and didn’t blame me or anything, but it was a huge professional embarrassment I don’t ever intend to repeat.

  2. The ubiquiti hack DID leak usernames/passwords; I work for a small telecommunications company, and about half of our deployed Edgerouter X units are under malicious control, with the only solution being a factory reset.

    1. Note that it was both their accounts.ui com and unifi.ui com portals that were hacked into. So there’s two concerns.
      The username and password hashes are leaked, and everyone that had unifi.ui remote access enabled received a remote command to modify the primary ssh trust username/password used when the controller provisions devices.

      This gives/gave them remote access without needing your password, but of course they can always brute force that hash later too

    1. “If it looks like a duck, and quacks like a duck, we have at least to consider the possibility that we have a small aquatic bird of the family anatidae on our hands.”

      ― Douglas Adams

    2. I am impressed with your calling out Twitter’s “Censorship”. You are very brave to state the truth. Just be ready to be CANCELLED unjustly. Free speech in America is dead. R.I.P.

  3. At the factory I work for, we recently changed all the different network components (yes, ZyXel managed switches and Ubiquity router/APs amongst them) to single brand: Mikrotik.

  4. ….was caught up in the recent outbreak of Twitter censorship, with an account suspension.

    THIS is newsworthy, a debate about freedom of speech as it applies to our current places of political discourse. Technically social media is not a ‘right’s sure…it IS the most effective way for any new political idea to be heard, regardless of how much money proponents have. And it seems like far too many people, yourself included, are far too willing to shrug and say “oh well”.

    “Oh well, our political discourse is shaped and guided by private corporations and Saudi investors.”

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.