CVE-2023-31997 Overview
CVE-2023-31997 is a critical security misconfiguration vulnerability affecting UniFi OS 3.1 running on Ubiquiti Cloud Key devices. The vulnerability introduces a misconfiguration on consoles running UniFi Network that allows users on a local network to access the MongoDB database without proper authorization. This exposes sensitive network configuration data and credentials to adjacent network attackers.
Critical Impact
Adjacent network attackers with low privileges can gain unauthorized access to the MongoDB database, potentially compromising confidentiality, integrity, and availability of the UniFi Network management system.
Affected Products
- UniFi OS 3.1
- Cloud Key Gen2
- Cloud Key Gen2 Plus
Discovery Timeline
- 2023-07-01 - CVE-2023-31997 published to NVD
- 2024-11-26 - Last updated in NVD database
Technical Details for CVE-2023-31997
Vulnerability Analysis
This vulnerability stems from an insecure default configuration introduced in UniFi OS version 3.1. When the UniFi Network application is hosted on applicable Cloud Key devices (Gen2 and Gen2 Plus), the MongoDB instance becomes accessible to users on the local network segment. MongoDB stores critical UniFi Network configuration data, including device credentials, network topology information, and administrative settings.
The vulnerability is classified under CWE-863 (Incorrect Authorization), indicating that while some access controls may exist, they fail to properly restrict database access to authorized users only. An attacker positioned on the adjacent network can leverage this misconfiguration to directly query the MongoDB instance, bypassing the normal UniFi Network web interface authentication mechanisms.
Root Cause
The root cause of CVE-2023-31997 is an insecure default configuration introduced in UniFi OS 3.1. The MongoDB service binding configuration was inadvertently changed to allow connections from the local network interface rather than restricting access to localhost only. This misconfiguration affects Cloud Key Gen2 and Cloud Key Gen2 Plus devices when they are running both UniFi OS 3.1 and hosting the UniFi Network application.
Attack Vector
The attack vector requires adjacent network access, meaning the attacker must be on the same network segment as the vulnerable Cloud Key device. With low-privilege access to the network, an attacker can:
- Discover the Cloud Key device on the local network through service enumeration
- Connect directly to the exposed MongoDB port (typically 27117 for UniFi)
- Query the database without authentication or with default credentials
- Extract sensitive configuration data, credentials, and network topology information
- Potentially modify database records to alter network configurations or create backdoor administrative accounts
This attack does not require user interaction and can have a changed scope impact, affecting resources beyond the vulnerable component itself.
Detection Methods for CVE-2023-31997
Indicators of Compromise
- Unexpected network connections to MongoDB ports (default: 27117) from non-localhost addresses
- Unusual database query patterns or bulk data exports from the UniFi MongoDB instance
- New or modified administrative accounts in the UniFi Network application
- Unexpected configuration changes to network devices managed by UniFi
Detection Strategies
- Monitor network traffic for connections to MongoDB ports originating from hosts other than localhost
- Implement network segmentation monitoring to detect unauthorized cross-segment database access attempts
- Review UniFi Network application logs for anomalous administrative actions or configuration changes
- Deploy intrusion detection rules to identify MongoDB protocol traffic on unexpected network segments
Monitoring Recommendations
- Enable detailed logging on Cloud Key devices and forward logs to a centralized SIEM solution
- Set up alerts for any external connections to the MongoDB service port
- Regularly audit administrative accounts and configuration changes within the UniFi Network application
- Monitor for unauthorized network scanning activity targeting management interfaces
How to Mitigate CVE-2023-31997
Immediate Actions Required
- Update UniFi OS to a version that addresses this misconfiguration (versions newer than 3.1)
- Isolate Cloud Key devices on a dedicated management VLAN with strict access controls
- Implement firewall rules to block MongoDB port access from all hosts except localhost
- Review and audit all administrative accounts for unauthorized modifications
Patch Information
Ubiquiti has released security updates to address this vulnerability. Administrators should consult the UI Community Security Advisory for specific patch versions and update instructions. It is critical to update affected Cloud Key Gen2 and Cloud Key Gen2 Plus devices running UniFi OS 3.1 to the latest available firmware version.
Workarounds
- Place Cloud Key devices on an isolated management network segment inaccessible to general users
- Configure host-based firewall rules on the Cloud Key to restrict MongoDB access to localhost only
- Implement network-level access control lists (ACLs) to prevent unauthorized access to management interfaces
- Consider disabling remote management access until the patch can be applied
# Network isolation configuration example (firewall rule to restrict MongoDB)
# Block external access to MongoDB port 27117
iptables -A INPUT -p tcp --dport 27117 ! -s 127.0.0.1 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
