Most people patch quickly, right?…. right?… right???
The Log4J Vulnerability –
I demonstrated the Log4Unifi GitHub repo for easily attacking the vulnerability CVE-2021-44228 on YouTube. Following along with the news by MorphiSec of Log4J and Unifi being targeted by threat actors in the wild, I asked myself, how many unpatched Unifi Controllers still exist? Want to take a guess? If you are not familiar on how you might determine that, lets walk through it together.
The Unifi Reconnaissance –
Shodan.io is an amazing free resource to gather this type of information, and most Threat Actors use automated tools, and API calls to Shodan, as well as many other repositories like this for passive reconnaissance before actively exploiting those resources for profit.
Search – http.title:”UniFi” country:”US” city:”Denver” port:”8443″
The Attack Surface for Log4J and Unifi Results –
In Shodan you will return at the time of this blog, 67 Live devices meeting the criteria of having Unifi in the header, in the US, and (somewhat inaccurately) in Denver responding to the default port of 8443 for Unifi software management. What makes this really easy for the threat actor / researcher, is that Unifi displays the version on the main page, it is not in the http header or information that Shodan would find, but it is easy to click the link to navigate to the site and read the version without having to try the exploit first. You simply need to find a controller that is 6.5.54 or below. In my research the lowest version I found was INSERTHERE
Following this method for the first 20 hosts in the list for major cities, here are the current exploitable percentages:
**Where less than 20 exist, the full list was checked represented in numbers by the percentages, any devices not responding, or in a failed state of some sort are excluded from test data.
- Denver – 75% 15/20
- Wichita – 70% 7/10
- Dallas – 47% 9/19 *A large portion of the sample was professional hosting company cloudunifi.com and they were all patched!
- Atlanta – 50% 10/20
If you look at the total above and use a conservative 30% vulnerable number that would be almost 5,000 vulnerable unifi controllers. Once I gain a foothold with the CVE-2021-44228 there are a number of malicious things that could be done, for example:
- Lateralization to other systems from that landing point
- Use the mongo db to add a new local user, sign in to the web shell, and extract the SSH key that is stored in unifi ui for admin.
- Using the newly escalated privilege, install a crypto miner to profit from your controller
- If a USG exists, add a 0.0.0.0 route to a controlled mitm attack box and see ALL traffic from an organization
- Destroy all network configs at all clients
- and more.
The conclusion –
Patch. CIS Control 7 deals with vulnerability management. The faster you can catalogue, find, patch, and confirm vulnerability closure, the lower your time of exposure and risk. Get on a good cadence. Patch often. Work to remove barriers to patching. Enterprises have thousands of dependencies and massive data flows depending on critical systems. This makes them much more enslaved to their tech debt. This is not true with SMB in the same way. SMB should work to remove LOB (Line of Business) application reliance on systems that cannot go SaaS. They should move to cloud based SaaS tied to their existing Identity and Access Management (IAM). The less “Metal” in the closet, and the less software dependencies on legacy infrastructure can mean much better patching health.
The AWESOME –
The data seems to show that having a mature MSP partner improves patch awareness of vulnerabilities. The cities with higher numbers of MSP aggregators have lower unpatched systems.
One really really positive outcome of the data in this initial run has shown one thing. There were WAY more individual companies and systems that were not patched than their MSP/ITSP brethren. Most MSPs were extremely quick to patch as I am seeing in a small sample size. However the converse is true for many SMBs, their “I got a guy” or “My son is good with tech” seems to play out in versions unpatched for years running their critical data systems in their offices. I found hospitals, prison support supply chain, wifi providers, rural connectivity providers, and medical research companies all with vulnerable controllers.
I plan to continue the research as the months pass and revisit some of the original sample size to see if they patch.
Please feel free to reach out if you would like to discuss!
Matt