CVE-2020-8145 : What You Need to Know
Learn about CVE-2020-8145, a privilege escalation vulnerability in UniFi Video Controller (for Windows 7/8/10 x64) allowing unauthorized users to modify application configurations.
A privilege escalation vulnerability in UniFi Video Controller (for Windows 7/8/10 x64) allows low privileged users to overwrite application configurations.
Understanding CVE-2020-8145
What is CVE-2020-8145?
The vulnerability in UniFi Video Controller (for Windows 7/8/10 x64) allows unauthorized users to access and modify application configurations, potentially leading to privilege escalation.
The Impact of CVE-2020-8145
The vulnerability can be exploited by low privileged users to overwrite the current application configuration, including adding new administrative users.
Technical Details of CVE-2020-8145
Vulnerability Description
The UniFi Video Server (Windows) web interface lacks sufficient privilege checks, enabling unauthorized access to critical endpoints.
Affected Systems and Versions
- Affected Product: UniFi Video Controller v3.9.3 (for Windows 7/8/10 x64) and prior
- Fixed Version: UniFi Video Controller v3.9.6 and newer
Exploitation Mechanism
Unauthorized users belonging to specific user groups can exploit the 'backup' and 'wizard' endpoints to manipulate application configurations.
Mitigation and Prevention
Immediate Steps to Take
- Upgrade to UniFi Video Controller v3.9.6 or newer to mitigate the vulnerability
- Restrict access to the affected endpoints to authorized users only
Long-Term Security Practices
- Regularly review and update user access privileges
- Implement strong authentication mechanisms to prevent unauthorized access
Patching and Updates
Apply security patches and updates provided by the vendor to address known vulnerabilities.