CVE-2024-29208 in Update UniFi Connect EV Station
Summary
by MITRE • 05/07/2024
An Unverified Password Change could allow a malicious actor with API access to the device to change the system password without knowing the previous password.
Affected Products:
UniFi Connect EV Station (Version 1.1.18 and earlier)
UniFi Connect EV Station Pro (Version 1.1.18 and earlier)
UniFi Connect Display (Version 1.9.324 and earlier)
UniFi Connect Display Cast (Version 1.6.225 and earlier)
Mitigation:
Update UniFi Connect Application to Version 3.10.7 or later.
Update UniFi Connect EV Station to Version 1.2.15 or later.
Update UniFi Connect EV Station Pro to Version 1.2.15 or later.
Update UniFi Connect Display to Version 1.11.348 or later.
Update UniFi Connect Display Cast to Version 1.8.255 or later.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/07/2024
This vulnerability represents a critical authentication bypass flaw that undermines the fundamental security controls of UniFi Connect IoT devices. The issue stems from inadequate input validation and verification mechanisms within the password change functionality, allowing unauthorized actors to modify system passwords through API access without possessing the legitimate password. This weakness creates a significant attack surface where malicious entities can gain persistent control over affected devices by simply leveraging existing API credentials. The vulnerability directly violates security principle of least privilege and demonstrates a severe failure in access control implementation.
The technical implementation flaw manifests in the password change API endpoint which fails to validate that the current password matches the stored hash before permitting a password modification. This design oversight creates an authentication bypass condition where the system accepts password change requests without confirming the requester's legitimate authorization. The vulnerability affects multiple device types within the UniFi Connect ecosystem, specifically targeting versions of the EV Station, EV Station Pro, Display, and Display Cast products that were released prior to the specified mitigation versions. This widespread impact across different hardware variants suggests a systemic flaw in the authentication implementation rather than an isolated device-specific issue.
The operational impact of this vulnerability is substantial as it enables attackers to establish persistent access to affected devices, potentially leading to complete system compromise. Once an attacker successfully changes the password, they can maintain unauthorized access without requiring additional authentication factors or knowledge of previous credentials. This vulnerability particularly affects IoT environments where devices may be deployed in sensitive locations such as industrial facilities, commercial buildings, or residential settings where physical access is limited. The risk is exacerbated by the fact that API access is often required for legitimate device management, making this vulnerability particularly dangerous in environments where API credentials are exposed or compromised.
From a cybersecurity framework perspective, this vulnerability aligns with CWE-287 which addresses improper authentication issues and represents a clear violation of the principle of authentication. The flaw also corresponds to ATT&CK technique T1078 which covers valid accounts and privilege escalation through legitimate credentials. Organizations using affected devices face potential risks including unauthorized surveillance, data exfiltration, device hijacking for botnet participation, and disruption of critical services. The vulnerability's impact extends beyond individual device compromise to potentially affect entire network infrastructures where these devices may serve as entry points for lateral movement.
The recommended mitigation strategy involves updating all affected device firmware and application versions to their respective patched releases. This remediation addresses the core authentication bypass by implementing proper password verification mechanisms before accepting password change requests. Security administrators should prioritize these updates across their entire fleet of affected devices, particularly those deployed in high-risk environments or critical infrastructure. Additionally, organizations should conduct comprehensive inventory audits to identify all affected devices and implement network segmentation to limit the potential blast radius of any successful exploitation attempts. The update process should be carefully planned to minimize operational disruption while ensuring complete remediation of the vulnerability across all affected endpoints.