CVE-2024-54750: Ubiquiti U6-LR Auth Bypass Vulnerability

CVE-2024-54750 Overview

CVE-2024-54750 is a critical hardcoded credentials vulnerability affecting the Ubiquiti U6-LR wireless access point running firmware version 6.6.65. The vulnerability exists in the /etc/shadow file, which contains a hardcoded password that allows attackers to authenticate as the root user. This security flaw enables complete compromise of the affected device, granting attackers full administrative control over the access point and potentially the network it manages.

Critical Impact

Attackers can gain root access to Ubiquiti U6-LR devices by exploiting a hardcoded password in the shadow file, enabling complete device compromise and potential network infiltration.

Affected Products

• Ubiquiti U6-LR firmware version 6.6.65
• Ubiquiti UniFi 6 Long-Range Access Point

Discovery Timeline

• 2024-12-06 - CVE-2024-54750 published to NVD
• 2024-12-09 - Last updated in NVD database

Technical Details for CVE-2024-54750

Vulnerability Analysis

This vulnerability falls under CWE-798 (Use of Hard-coded Credentials), a critical security flaw where authentication credentials are embedded directly within device firmware. In the case of the Ubiquiti U6-LR, the /etc/shadow file contains a pre-configured password hash for the root account. This hardcoded credential persists across device deployments and cannot be easily changed by end users, creating a systemic weakness across all affected devices.

The network-accessible nature of this vulnerability means that any attacker who can reach the device over the network can potentially attempt authentication using the known hardcoded credentials. Once authenticated as root, the attacker gains complete control over the device's operating system, configuration, and network functions.

It is worth noting that Ubiquiti disputes the severity of this finding, stating that the hardcoded password should only exist prior to initial device setup. However, the presence of such credentials in production firmware poses significant security risks, particularly in scenarios where devices may be deployed without proper initial configuration or where the setup process fails to properly replace the default credentials.

Root Cause

The root cause of CVE-2024-54750 is the inclusion of a static password hash in the /etc/shadow file within the device firmware. This represents a fundamental violation of secure development practices, as hardcoded credentials should never be present in production firmware. The shadow file, which stores encrypted user passwords on Unix-like systems, contains a pre-set root password that remains consistent across all devices using this firmware version.

Attack Vector

The attack vector for this vulnerability is network-based, requiring no user interaction or prior authentication. An attacker with network access to the Ubiquiti U6-LR device can attempt to authenticate using the known hardcoded credentials. Successful exploitation grants the attacker root-level access to the device, enabling them to:

• Modify device configuration and network settings
• Intercept and manipulate network traffic
• Install persistent backdoors or malicious firmware
• Pivot to attack other devices on the network
• Exfiltrate sensitive information passing through the access point

The exploitation process involves connecting to the device's administrative interface (typically SSH or web-based management) and authenticating using the hardcoded root credentials discovered in the firmware's shadow file.

Detection Methods for CVE-2024-54750

Indicators of Compromise

• Unexpected root login sessions or SSH connections to Ubiquiti U6-LR devices
• Configuration changes to access points that were not authorized by administrators
• Unusual network traffic patterns originating from or passing through access points
• Modified system files or unauthorized firmware modifications on affected devices

Detection Strategies

• Monitor authentication logs on Ubiquiti U6-LR devices for successful root login attempts, especially from unexpected IP addresses
• Implement network segmentation and monitor for lateral movement from compromised access points
• Use endpoint detection tools to identify devices running vulnerable firmware version 6.6.65
• Deploy intrusion detection signatures to alert on authentication attempts using known default credentials

Monitoring Recommendations

• Enable comprehensive logging on all Ubiquiti network infrastructure devices
• Implement centralized log collection and analysis for authentication events across all access points
• Set up alerts for root-level access to network devices outside of scheduled maintenance windows
• Conduct regular firmware version audits to identify devices running vulnerable versions

How to Mitigate CVE-2024-54750

Immediate Actions Required

• Identify all Ubiquiti U6-LR devices in your environment running firmware version 6.6.65
• Isolate affected devices from sensitive network segments until remediation can be completed
• Ensure all devices have completed initial setup procedures, which may replace default credentials according to Ubiquiti's documentation
• Monitor affected devices closely for signs of unauthorized access

Patch Information

At the time of this publication, no official patch information has been released by Ubiquiti. Administrators should consult the vulnerability report on Notion for additional technical details and monitor Ubiquiti's official security advisories for firmware updates that address this vulnerability.

Workarounds

• Complete the initial device setup process on all Ubiquiti U6-LR devices, which according to Ubiquiti should replace the default credentials
• Restrict network access to device management interfaces using firewall rules and network segmentation
• Implement strong network access controls to limit which systems can communicate with access point management ports
• Consider disabling SSH access if not required and rely solely on the UniFi Controller for device management