1. What is this vulnerability and why does it matter?

A Local privilege escalation vulnerability, identified as CVE-2024-42028, affects Self-Hosted UniFi Network Servers running UniFi Network Application versions 8.4.62 and earlier. This vulnerability allows a malicious actor with a local operational system user to execute high privilege actions on the UniFi Network Server. This matters because it could lead to full system compromise, unauthorized access to sensitive data, or alteration of system configurations, posing a significant risk to network management and security.

2. What are the CVSS score, severity level, and disclosure details?

The CVSS score assigned to this vulnerability is 8.8. This corresponds to a High severity level. The vulnerability was published to the National Vulnerability Database (NVD) on October 28, 2024.

3. Which products, vendors, systems, and versions are affected?

• Products: UniFi Network Application
• Vendors: Ubiquiti
• Systems: Self-Hosted UniFi Network Server
• Affected Versions: UniFi Network Application Version 8.4.62 and earlier

4. What is the technical root cause and attack vector?

The technical root cause of this vulnerability is improper access control (CWE-276). Specifically, the issue arises from incorrect permission handling in system libraries utilized by the UniFi Network Application, which fails to properly restrict access to system commands for local users. The attack vector is local, meaning an attacker must already have local operational system user access on the affected server to exploit this vulnerability.

5. How can this vulnerability be exploited?

This vulnerability can be exploited by a malicious actor who has existing local operational system user access on the UniFi Network Server. Once local access is obtained, the attacker can leverage the insufficient permission checks to execute high privilege actions on the server. The exploitability is considered to have low complexity, require low privileges, and does not need user interaction.

6. What mitigation steps and patches are available?

The primary mitigation step is to update the UniFi Network Application to Version 8.5.6 or later.

Recommended workarounds include:

• Restricting local access to systems.
• Reviewing and auditing local user accounts.
• Reconfiguring and hardening user permissions to ensure the principle of least privilege.
• Isolating affected systems from other sensitive network resources.

7. How can vulnerable systems be detected?

Vulnerable systems can be detected by checking the version of the UniFi Network Application. Any installation running Version 8.4.62 or earlier is affected.

Additionally, security teams can implement detection strategies such as:

• Monitoring for changes in file permissions.
• Monitoring for any unsanctioned use of administrative commands, especially those involving system configurations.
• Setting up alerts for modifications in the sudoers file or changes within key system directories associated with the UniFi application.

8. What are the indicators of compromise (IOCs)?

Indicators of Compromise (IOCs) for this vulnerability may include:

• Unexpected entries in /var/log/auth.log.
• Unauthorized modifications to system files.
• Unusual spikes in user privilege levels.

9. Which threat actors are known to exploit this vulnerability?

As of the current information, there are no known threat actors exploiting this vulnerability in the wild.

10. What public intelligence references and advisories exist?

• CVE Identifier: CVE-2024-42028
• National Vulnerability Database (NVD): nvd.nist.gov/vuln/detail/CVE-2024-42028
• Ubiquiti Community Security Advisory: Bulletin 043 (referenced in search results). The advisory suggests updating to UniFi Network Application 8.5.6 or later for mitigation.
• GitHub Advisory Database: Published on October 28, 2024.

11. What is the risk assessment and urgency level?

The risk associated with CVE-2024-42028 is assessed as High. Successful exploitation allows a local attacker to gain high privileges, potentially leading to unauthorized access to sensitive information and operations, data breaches, system manipulation, and even complete control over the server. The urgency level for remediation is paramount, particularly for organizations where the UniFi Network Server is accessible to local users or where the integrity of network management is critical. Organizations using affected versions must act swiftly and prioritize patching immediately.