Source: cve@mitre.org
Cross-site scripting (XSS) vulnerability in the administer interface in the UniFi Controller in Ubiquiti Networks UniFi 2.3.5 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted client hostname.
Ubiquiti Networks UniFi Controller versions 2.3.5 and earlier are vulnerable to a cross-site scripting (XSS) attack. This vulnerability allows attackers to inject malicious scripts into the administrator interface, potentially leading to account compromise and network control. Successful exploitation could enable attackers to steal credentials, redirect users, or execute arbitrary code within the context of the administrator's session.
Step 1: Payload Delivery: The attacker crafts a malicious hostname containing JavaScript or HTML code (the payload). This payload is designed to execute when rendered in the administrator's browser.
Step 2: Client Association: The attacker connects a device to the UniFi network, assigning the malicious hostname to the device. This could be done through DHCP or by manually configuring the device's hostname.
Step 3: Data Storage: The UniFi Controller stores the malicious hostname in its database.
Step 4: Administrator Interaction: The administrator logs into the UniFi Controller's web interface and navigates to a page that displays client information, such as the client list or client details.
Step 5: Payload Execution: The UniFi Controller retrieves the malicious hostname from the database and displays it in the administrator's browser without proper sanitization. The browser then executes the injected JavaScript or renders the HTML, allowing the attacker's code to run within the administrator's session.
The vulnerability stems from insufficient input validation and output encoding within the UniFi Controller's administer interface. Specifically, the application fails to properly sanitize the client hostname before displaying it in the administrator's web interface. This allows an attacker to inject malicious JavaScript or HTML code into the hostname field. When the administrator views the client's information, the injected code is executed within the administrator's browser, enabling the attacker to perform actions on behalf of the administrator. The root cause is a lack of proper input validation and output encoding (e.g., HTML escaping) when handling the client hostname data. The application trusts the client-supplied hostname without sanitizing it, leading to the XSS vulnerability.
While no specific APTs are definitively linked to the exploitation of this specific CVE, the ease of exploitation and the potential impact (network compromise) make it attractive to various threat actors. This vulnerability could be leveraged by attackers aiming to gain initial access, escalate privileges, or conduct reconnaissance. This vulnerability is not listed in the CISA KEV.
Monitor network traffic for unusual client hostnames, especially those containing HTML tags or JavaScript code (e.g., <script>, <iframe>).
Analyze UniFi Controller logs for suspicious activity, such as unexpected administrator actions or unusual client behavior.
Implement a web application firewall (WAF) to filter out malicious requests containing XSS payloads.
Use a network intrusion detection system (NIDS) to identify and alert on XSS attempts.
Review client hostname configurations for suspicious entries.
Upgrade to UniFi Controller version 2.3.6 or later. This version likely includes a fix for the XSS vulnerability.
Implement a web application firewall (WAF) to filter out malicious requests containing XSS payloads.
Ensure proper input validation and output encoding (HTML escaping) for all user-supplied data, especially client hostnames.
Regularly scan the network for vulnerable devices and apply security patches promptly.
Implement a strong password policy and enforce multi-factor authentication (MFA) for administrator accounts.
Review and restrict administrator access privileges to the minimum necessary.