CVE-2020-8188 : Security Advisory and Response

UniFi Protect firmware versions v1.13.3 and v1.14.10 for UniFi Cloud Key Gen2 Plus, UniFi Dream Machine Pro, and UNVR have been released to address a vulnerability that could allow unauthorized privilege escalation.

Understanding CVE-2020-8188

This CVE involves a command injection vulnerability in UniFi Protect firmware versions v1.13.2, v1.14.9, and earlier.

What is CVE-2020-8188?

The vulnerability allows 'View only' users to execute specific custom commands, enabling them to assign unauthorized roles and elevate their privileges.

The Impact of CVE-2020-8188

Exploitation of this vulnerability could lead to unauthorized access and potential privilege escalation within the affected UniFi Protect devices.

Technical Details of CVE-2020-8188

This section provides more in-depth technical information about the vulnerability.

Vulnerability Description

The vulnerability is classified as a Command Injection - Generic (CWE-77) issue.

Affected Systems and Versions

Products affected: Protect for UniFi Cloud Key Gen2 Plus, UniFi Dream Machine Pro, UNVR
Vulnerable versions: v1.13.2, v1.14.9, and prior
Fixed versions: v1.13.3 and v1.14.10

Exploitation Mechanism

Unauthorized users can exploit the vulnerability by running specific custom commands, allowing them to gain unauthorized roles and escalate their privileges.

Mitigation and Prevention

To address and prevent the exploitation of CVE-2020-8188, follow these steps:

Immediate Steps to Take

Update affected devices to the fixed versions: v1.13.3 and v1.14.10
Restrict access to privileged functions to authorized users only

Long-Term Security Practices

Regularly monitor and update firmware to the latest versions
Implement least privilege access controls to limit user capabilities

Patching and Updates

Stay informed about security advisories and updates from the vendor
Apply patches promptly to ensure protection against known vulnerabilities