Delivered-To: jade@trashwitch.dev
Received: by 2002:a54:3bc9:0:0:0:0:0 with SMTP id g9csp344549ecu;
        Wed, 17 Jun 2020 03:04:46 -0700 (PDT)
X-Received: by 2002:a1c:c908:: with SMTP id f8mr7743492wmb.150.1592388286678;
        Wed, 17 Jun 2020 03:04:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1592388286; cv=none;
        d=google.com; s=arc-20160816;
        b=T9gc3x2YkGbjO+eyFAk3Z1PlVaCcxhrc993CQglTVn/h5dA/T5C7sSKNvb0WveXBmy
         i8Y7WwOQ+9fZ40A8AA9WV6bDhKGbb48yy0AlrBDYFOXfSL+PGc9qP9CVNoadCyAlQh04
         Al+iqTPBPbR7zhK62Yj5lkFql6dj+AFwxJHNHPiYF30qz0Bf6zqU5yzvslz+mt4GWYIl
         7qS3pPldAnQHMlamD1GdqvyVV9eRjTTG4cML/vGfEQYkCV3t2IFwR3lEpqds+EjfK5n+
         JO1zWDon1kccdsFnoUvJ/UA6jg4t/CL5cE+Ry6UjVVHmiBhAtQc0wG3TAe+fb22ovRfE
         K5Ig==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=cc:to:subject:message-id:date:from:in-reply-to:references
         :mime-version:dkim-signature;
        bh=pqlZRcvhFWeYWwmfvMmTEtABWehyiPErEdrOp/N313o=;
        b=t7eRWjP+mJayaBuFQ87SKo7RDL7yuYXmkqGPU9GAQgD0EKf925E0IOE3mAY/NmgPV5
         RVkROXATLqYupKvWX7WpsdKTowVxv+xrjpDZfQ7GS5XKWHD5PJmsdENBvItJi0sX9K27
         4kWqYCPCJF+DN34YX0D1GbEjMcyYFWeV9xnMzElqhc2zMU+FJPUzIqmRn3dPFRHDg5sw
         5i4H/Eih1A9YxLxNMrqW9AoKHemrp09gI/DAbyNEo2AXDRZH9ZndyTdIi9grMgv7/BSf
         EY60L+6wmdTI90yz/R0OJQjk4x0WsKN3KwYKKNRIUiYkY8PsGu8vR0KxwbEMUlRHBwM0
         /YFA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ui.com header.s=google header.b=gLtooGd7;
       spf=pass (google.com: domain of marcus.maciel@ui.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=marcus.maciel@ui.com;
       dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ui.com
Return-Path: <marcus.maciel@ui.com>
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41])
        by mx.google.com with SMTPS id n126sor3563035wmb.19.2020.06.17.03.04.45
        for <jade@trashwitch.dev>
        (Google Transport Security);
        Wed, 17 Jun 2020 03:04:45 -0700 (PDT)
Received-SPF: pass (google.com: domain of marcus.maciel@ui.com designates 209.85.220.41 as permitted sender) client-ip=209.85.220.41;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ui.com header.s=google header.b=gLtooGd7;
       spf=pass (google.com: domain of marcus.maciel@ui.com designates 209.85.220.41 as permitted sender) smtp.mailfrom=marcus.maciel@ui.com;
       dmarc=pass (p=REJECT sp=NONE dis=NONE) header.from=ui.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ui.com; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=pqlZRcvhFWeYWwmfvMmTEtABWehyiPErEdrOp/N313o=;
        b=gLtooGd78D3OVL3RF5zm9PjebrTu3dyotTKISvGS3FXz6CEBozgb0ClFfCNl+NlJu0
         Z3r1khEotWSu8L1iaxxNLcT8tZAWcsr8xO80LKnxbilpQiyCJNwSyOrW7kA096BMEFhA
         YegrDbgfLmj725JuTvxQdqSnCmyk1lRz2Z/to=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=pqlZRcvhFWeYWwmfvMmTEtABWehyiPErEdrOp/N313o=;
        b=aXdZX68zF11twLfm0PutmKVHS+1/keK+hYYA8NF6LOpT/WfSrPfmrykOdsNz3o93Y7
         TN42UZgY94pEbXp73OBvd30+SdYSTd4e4Y+wMISrepxIc5xh610jJ4bJyhu5WGSSNFkO
         pATwCS0F3H7Aai/nS4ebhNY36Aiw/z8+WU0yUKqRuqohvUhVysS3BNZn6v8wkkXCtyLw
         FE0o1U2IwlAoR/yzx7p2C/dGd2YCLn7ir0h8XSwcGeHcOfN0eOZAYK+HQ2NQn6ekUAzW
         M4+ZQoJlD503tNKtdNnmho4ZVFycEDov4DtDbnZonphDjo9gNHQd8sPbw+m1wMATEL1x
         Z8Zg==
X-Gm-Message-State: AOAM5333tzjixhjABJfs8sg58o10nO3CsQ9G3emHkckrXvPUNS95peg+
	K5p+QDhXCQX4mb9fj4J09GoR2cnYrsF6Ka24z7y/RD6Uebg=
X-Google-Smtp-Source: ABdhPJwM9LtUgDJJfz/a4flXzW+AuWBljrScoVEZgX/O+oBgKAAEunbq1m5mZxbPC2AI3in6+xLTbrgDLpdWwzzHccw=
X-Received: by 2002:a1c:8048:: with SMTP id b69mr7517245wmd.169.1592388284307;
 Wed, 17 Jun 2020 03:04:44 -0700 (PDT)
MIME-Version: 1.0
References: <CAP2_hE9=Org0kacQ_bpUcVHw+X+9Z3M3jYMU_T1xgSaYh-4eNQ@mail.gmail.com>
In-Reply-To: <CAP2_hE9=Org0kacQ_bpUcVHw+X+9Z3M3jYMU_T1xgSaYh-4eNQ@mail.gmail.com>
From: Security Team <security@ui.com>
Date: Wed, 17 Jun 2020 06:04:33 -0400
Message-ID: <CAO5Q_E_iTpFArgRT84d3LzvrGRQWMaKW_SW=sKvcqD3ujbN37A@mail.gmail.com>
Subject: Re: [Security] improper use of symmetric encryption in UniFi inform protocol
To: Jade Auer <jade@trashwitch.dev>
Cc: Security Team <security@ui.com>
Content-Type: multipart/alternative; boundary="00000000000007f6c705a844ca22"

--00000000000007f6c705a844ca22
Content-Type: text/plain; charset="UTF-8"

Hello Jade,

Can you report this via hackerone.com/ui ? We manage everything including
CVE requests if needed directly from there.

Thank you,
Security Team

On Wed, Jun 17, 2020 at 3:34 AM Jade Auer <jade@trashwitch.dev> wrote:

> Good morning,
>
> # Vulnerability
> (see also: attached)
> Affected product: UniFi controller 5.12.72, USMINI 1.6.1.525 (among others)
> Note: all versions of UniFi controller and device software to date are
> believed to be affected.
>
> Description: use of symmetric encryption instead of asymmetric encryption
> (e.g. TLS) permits observation of traffic without MITM. Use of static
> initial key means any future key exchange should be assumed to be
> compromised.
> See also: CWE-300, CWE-321, CWE-322, CWE-656
>
> Exploit: See attached for example from program extracting keys from pcap
> of device adoption traffic.
>
> Impact: Loss of user privacy, potentially remote root via MITM to inject
> crafted inform responses.
>
> How was this found? Considering implications of protocol design choices
> while reading various 3rd party implementations of the inform protocol.
>
> When was this found? 22 May 2020
>
> Mitigation: Use JSON over TLS for inform request/response instead of
> implementing bespoke encoding methods with symmetric encryption.
>
> # Disclosure Plans
> I have already reported this vulnerability to the following vendors and
> organizations: Facebook (other members of security staff for peer review
> and internal mitigation)
>
> Is this vulnerability being publicly discussed? No, however all the data
> required to discover vulnerability are in public. For example:
> https://jrjparks.github.io/unofficial-unifi-guide
>
> Is there evidence that this vulnerability is being actively exploited? no.
>
> I plan to publicly disclose this on 17 August 2020 (30 days from now) at
> https://jade.wtf/words/unifi-inform-crypto/
> Up to 90 days if delay will meaningfully enable mitigation. Within 14 days
> if y'all do not consider this a vulnerability.
>
> As Ubiquiti is not a CVE Numbering Authority, I intend to request a CVE
> from MITRE on confirmation that one does not already exist, or on 25 July
> 2020 absent other communication on this issue.
>
> # Reporter
> Name: Jade Auer
> Email: jade@trashwitch.dev
>
> Thanks,
> -Jade
>
>

--00000000000007f6c705a844ca22
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">Hello Jade,<div><br></div><div>Can you re=
port this via <a href=3D"http://hackerone.com/ui">hackerone.com/ui</a> ? We=
 manage everything including CVE requests if needed directly from there.</d=
iv><div><br></div><div>Thank you,</div><div>Security Team</div><div></div><=
/div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">O=
n Wed, Jun 17, 2020 at 3:34 AM Jade Auer &lt;<a href=3D"mailto:jade@trashwi=
tch.dev">jade@trashwitch.dev</a>&gt; wrote:<br></div><blockquote class=3D"g=
mail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204=
,204,204);padding-left:1ex"><div dir=3D"ltr"><div>Good morning,<br><br># Vu=
lnerability<br>(see also: attached)<br>Affected product: UniFi controller 5=
.12.72, USMINI 1.6.1.525 (among others)<br>Note: all versions of UniFi cont=
roller and device software=C2=A0to date=C2=A0are believed to be affected.<b=
r><br></div><div>Description: use of symmetric encryption instead of asymme=
tric=C2=A0encryption (e.g. TLS) permits observation of traffic without MITM=
. Use of static initial key means any future key exchange should be assumed=
 to be compromised.<br>See also: CWE-300, CWE-321, CWE-322, CWE-656</div><d=
iv><br></div><div>Exploit: See attached for example from program extracting=
 keys from pcap of device adoption traffic.</div><div><br></div><div>Impact=
: Loss of user privacy, potentially remote root via MITM to inject crafted =
inform responses.</div><div><br></div><div>How was this found? Considering =
implications of protocol design choices while reading various 3rd party imp=
lementations of the inform protocol.<br><br>When was this found? 22 May 202=
0<br><br>Mitigation: Use JSON over TLS for inform=C2=A0request/response ins=
tead of implementing bespoke encoding methods with symmetric encryption.</d=
iv><div><br># Disclosure Plans<br>I have already reported this vulnerabilit=
y to the following vendors and organizations: Facebook (other members of se=
curity staff for peer review and internal mitigation)<br><br></div><div>Is =
this vulnerability being publicly discussed? No, however all the data requi=
red to discover vulnerability=C2=A0are in public. For example:=C2=A0<a href=
=3D"https://jrjparks.github.io/unofficial-unifi-guide" target=3D"_blank">ht=
tps://jrjparks.github.io/unofficial-unifi-guide</a>=C2=A0=C2=A0</div><div><=
br></div><div>Is there evidence that this vulnerability is being actively e=
xploited? no.</div><div><br></div><div>I plan to publicly disclose this on =
17 August 2020 (30 days from now) at <a href=3D"https://jade.wtf/words/unif=
i-inform-crypto/" target=3D"_blank">https://jade.wtf/words/unifi-inform-cry=
pto/</a><br>Up to 90 days if delay will meaningfully=C2=A0enable mitigation=
. Within 14 days if y&#39;all do not consider=C2=A0this a vulnerability.<br=
><br>As Ubiquiti is not a CVE Numbering Authority, I intend to request a CV=
E from MITRE on confirmation that one does not already exist, or on 25 July=
 2020 absent other communication on this issue.<br><br># Reporter</div><div=
>Name: Jade Auer<br>Email: <a href=3D"mailto:jade@trashwitch.dev" target=3D=
"_blank">jade@trashwitch.dev</a><br><br>Thanks,<br>-Jade</div><div><br></di=
v></div>
</blockquote></div></div>

--00000000000007f6c705a844ca22--