UniFi Network is an application that can help devices running macOS, Linux and Windows operating systems to set up and manage UniFi Network devices, while also providing an overview of the network and controlling it.
In the UniFi Network Application, the vulnerability is tracked as CVE-2021-44228, which has a CVSS score of 10, but so far it has only been identified in versions prior to UniFi Network Application 6.5.54. This critical vulnerability is dangerous as it enables malicious actors to complete remote code execution, but what is most worrying is that the command-and-control server in the attack is correlated to a previous SolarWinds attack, reported by CrowdStrike.
Discussing the discovery of this vulnerability, and covered by the entire InfoRiskToday UK, and the entire ISMG estate, John Goodacre, director of the UKRI’s Digital Security by Design challenge and Professor of Computer Architectures at Manchester University, said
“The continued use of known vulnerabilities shows the complexity on both system administrators and software suppliers to keep up with the need to patch. Given the historic investment and likely hood developers will continue to create vulnerable code, it’s important everyone understands how future hardware can help protect software from exploitation by design, and that developers are provided additional tools and capabilities that bring down the costs of delivering products secured by default. The UKRI Digital Security by Design (DSbD) programme is supporting industry to deliver new underpinning technologies with the recently announce DSbD Technology Access programme offering developers the opportunity to understand and evaluate the resulting benefits to their business.”
John Goodacre, director of the UKRI’s Digital Security by Design challenge and Professor of Computer Architectures at Manchester University
Another piece of research that caught our eye was the discovery of a memory corruption vulnerability, tracked as CVE-2021-4034, also known as Pwnkit. Researchers at Qualys discovered the vulnerability in polkit’s pkexec, a SUID-root program installed on all Linux distributions by default, which when exploited allows unprivileged users full root privileges on a vulnerable host. This vulnerability is especially worrying because pkexec, which is a part of Polkit, provides the foundation for critical software running on servers, phones and the Linux kernel.
“privilege escalation vulnerabilities such as this are a major weapon in the cyber attacker’s arsenal. Although this bug is independently described as a local privilege escalation, they also permit an attacker to extend the harm initiated via another vulnerability in a specific application and its data, to all data in the machine, and potentially the network. “
John Goodacre, director of the UKRI’s Digital Security by Design challenge and Professor of Computer Architectures at Manchester University
For decades computers have provided just a few levels of privilege, with software finding it too slow and expensive to use these mechanisms to create more secured solutions. The UKRI Digital Security by Design (DSbD) programme recently announced its Technology Access Programme to offer technology businesses the opportunity to investigate the benefits of the DSbD technology. These technologies are able to provide an arbitrary number of privilege and hardware protected compartments while also providing protection against the exploitation of vulnerabilities.”
You can find out more about the Industrial Strategy Challenge Fund here