Unifi Security Advisory 042 - Hosted controllers 8.3.32 and older
Following notification of Security Advisory 042 directly from Ubiquiti, Clouduni.fi team have stepped up testing of Network Application version 8.4.59. We will begin to upgrade all servers between 3rd and 4th September.
Whilst there is little opportunity for a malicious actor to gain access via SSH as we lock down SSH ports, Clouduni.fi will not take any risks and will upgrade all controllers.
Published: September 3, 2024
Version: 1.0
Revision: 1.0
A Command Injection vulnerability found in a Self-Hosted UniFi Network Servers (Linux) with UniFi Network Application (Version 8.3.32 and earlier) allows a malicious actor with unifi user shell access to escalate privileges to root on the host device.
Affected Products:
UniFi Network Application (Version 8.3.32 and earlier) .
Mitigation:
Update UniFi Network Application to Version 8.4.59 or later.
Impact:
CVSS v3.0 Severity and Metrics:
Base Score: 7.8 High
Vector:
CVSS: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVE: CVE-2024-42025 (Harry Sintonen)
Reference Links: