CVE-2015-9266

Published: Sep 5, 2018Modified: Nov 21, 2024

9.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The web management interface of Ubiquiti airMAX, airFiber, airGateway and EdgeSwitch XP (formerly TOUGHSwitch) allows an unauthenticated attacker to upload and write arbitrary files using directory traversal techniques. An attacker can exploit this vulnerability to gain root privileges. This vulnerability is fixed in the following product versions (fixes released in July 2015, all prior versions are affected): airMAX AC 7.1.3; airMAX M (and airRouter) 5.6.2 XM/XW/TI, 5.5.11 XM/TI, and 5.5.10u2 XW; airGateway 1.1.5; airFiber AF24/AF24HD 2.2.1, AF5x 3.0.2.1, and AF5 2.2.1; airOS 4 XS2/XS5 4.0.4; and EdgeSwitch XP (formerly TOUGHSwitch) 1.3.2.

Affected (12)

Products: Ui: Airmax Ac Firmware, Airmax M Xm Firmware, Airmax M Xw Firmware, Airmax M Ti Firmware, Airgateway Firmware, Airfiber Af24 Firmware, Airfiber Af24hd Firmware, Af5x Firmware, Af5 Firmware · Ubnt: Airos 4 Xs2, Airos 4 Xs5, Edgeswitch Xp Firmware

9 products

Airfiber Af24 Firmware

Airfiber Af24hd Firmware

3 products

Edgeswitch Xp Firmware

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Ui Airmax Ac Firmware	Version 7.1.3

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Ui Airmax M Xm Firmware	Before 5.6.2

Running on/with	Platform Versions
Ui Airmax M Xm	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Ui Airmax M Xw Firmware	Before 5.6.2

Running on/with	Platform Versions
Ui Airmax M Xw	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Ui Airmax M Ti Firmware	Before 5.6.2

Running on/with	Platform Versions
Ui Airmax M Ti	All versions

Configuration E

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Ui Airgateway Firmware	Before 1.15

Running on/with	Platform Versions
Ui Airgateway	All versions

Configuration F

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Ui Airfiber Af24 Firmware	Before 2.2.1

Running on/with	Platform Versions
Ui Airfiber Af24	All versions

Configuration G

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Ui Airfiber Af24hd Firmware	Before 2.2.1

Running on/with	Platform Versions
Ui Airfiber Af24hd	All versions

Configuration H

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Ui Af5x Firmware	Before 3.0.2.1

Running on/with	Platform Versions
Ui Af5x	All versions

Configuration I

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Ui Af5 Firmware	Before 2.2.1

Running on/with	Platform Versions
Ui Af5	All versions

Configuration J

2 vulnerable · 2 platform

Vulnerable Software	Affected Versions
Ubnt Airos 4 Xs2	Before 4.0.4
Ubnt Airos 4 Xs5	Before 4.0.4

Running on/with	Platform Versions
Ui Airmax Ac	All versions
Ui Airmax M	All versions

Configuration K

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Ubnt Edgeswitch Xp Firmware	Before 1.3.2

Running on/with	Platform Versions
Ui Edgeswitch Xp	All versions

Related CWEs

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (14)

https://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-UBNT/td-p/1562940

Source: cve@mitre.org

Vendor Advisory

https://community.ubnt.com/t5/airMAX-Updates-Blog/Important-Security-Notice-and-airOS-5-6-5-Release/ba-p/1565949

Source: cve@mitre.org

Vendor Advisory

https://community.ubnt.com/t5/airMAX-Updates-Blog/Security-Release-for-airMAX-TOUGHSwitch-and-airGateway-Released/ba-p/1300494

Source: cve@mitre.org

PatchVendor Advisory

https://hackerone.com/reports/73480

Source: cve@mitre.org

Issue TrackingThird Party Advisory

https://www.exploit-db.com/exploits/39701/

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

https://www.exploit-db.com/exploits/39853/

Source: cve@mitre.org

ExploitThird Party AdvisoryVDB Entry

https://www.rapid7.com/db/modules/exploit/linux/ssh/ubiquiti_airos_file_upload

Source: cve@mitre.org

ExploitThird Party Advisory

https://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-UBNT/td-p/1562940