Dueport Posted December 16, 2021 Share Posted December 16, 2021 Are C4 controllers vulnerable to this flaw? If not great. If so is there a patch we need to make sure gets applied asap? Quote Link to comment Share on other sites More sharing options...
-defunct- Posted December 16, 2021 Share Posted December 16, 2021 Nope. Scanned my network with all Control4 products and ended up finding my Buffalo NAS is, lol Quote Link to comment Share on other sites More sharing options...
Dueport Posted December 16, 2021 Author Share Posted December 16, 2021 7 minutes ago, Dunamivora said: Nope. Scanned my network with all Control4 products and ended up finding my Buffalo NAS is, lol Ok that’s great thank you. Is there a site that explains how to scan your network? Quote Link to comment Share on other sites More sharing options...
-defunct- Posted December 16, 2021 Share Posted December 16, 2021 For my personal use and scanning my home network, I use OpenVAS community edition. It's free, but the VM needs cycled every once in a while since the OS does not update with the free version. For work, we use Acunetix and Nessus, both have the ability to scan for the vulnerability just like OpenVAS. The only places we identified the vulnerability were in Composer and some back-end servers not exposed to the public. All of that is currently being worked on or has been fixed. Dueport 1 Quote Link to comment Share on other sites More sharing options...
Dueport Posted December 17, 2021 Author Share Posted December 17, 2021 58 minutes ago, Dunamivora said: For my personal use and scanning my home network, I use OpenVAS community edition. It's free, but the VM needs cycled every once in a while since the OS does not update with the free version. For work, we use Acunetix and Nessus, both have the ability to scan for the vulnerability just like OpenVAS. The only places we identified the vulnerability were in Composer and some back-end servers not exposed to the public. All of that is currently being worked on or has been fixed. Thank you @Dunamivora - this looks like a good project to explore. Really appreciate the recommendations. Quote Link to comment Share on other sites More sharing options...
Riverguy Posted December 21, 2021 Share Posted December 21, 2021 FYI - I found this statement on the Control4 web site. LOG4J VULNERABILITY RESPONSEDear Partner,On Friday, Dec 10, a vulnerability in the “Log4j” Java library was announced (CVE-2021-44228).An initial audit of our systems and applications indicates that the vulnerability is not present inany Snap One mobile application or product.Snap One’s usage of the affected “Log4j” library is limited to internal, backend services. Basedon available information, we have no indication that the vulnerability has been exploited withinour organization and are confident that there is no impact to customer data.The security of our products is a top priority and critical to our ongoing commitment to fostertrust and transparency for our customers.Snap One continues to monitor our systems and applications, as well as information providedby CISA (Cybersecurity and Infrastructure Security Agency), threat intelligence and othervendors for new information, and we will continue to take prompt action as necessary.Snap One Cybersecurity Team RyanE and -defunct- 2 Quote Link to comment Share on other sites More sharing options...
msgreenf Posted December 21, 2021 Share Posted December 21, 2021 @Riverguy that statement was likely written by @Dunamivora... -defunct- 1 Quote Link to comment Share on other sites More sharing options...
-defunct- Posted December 21, 2021 Share Posted December 21, 2021 It wasn't me, but it was my boss and PMs. I'm in all the chats about the vuln though. It's been a wild scramble talking with all the teams to review everything we include in our products and services. RyanE 1 Quote Link to comment Share on other sites More sharing options...
ekohn00 Posted December 21, 2021 Share Posted December 21, 2021 5 hours ago, Riverguy said: FYI - I found this statement on the Control4 web site. LOG4J VULNERABILITY RESPONSE vulnerability is not present in any Snap One mobile application or product.Snap One’s usage of the affected “Log4j” library is limited to internal, backend services. so not in the application, but is in the backend services? I understand what you're trying to say, but might need a bit of a tweak. Quote Link to comment Share on other sites More sharing options...
-defunct- Posted December 21, 2021 Share Posted December 21, 2021 3 minutes ago, ekohn00 said: so not in the application, but is in the backend services? I understand what you're trying to say, but might need a bit of a tweak. Internal, backend services would be employee tools, nothing that concerns customers and customer services. Quote Link to comment Share on other sites More sharing options...
zaphod Posted December 21, 2021 Share Posted December 21, 2021 But for those of us on Unifi there is a vulnerability in the Unifi Controller software. You need to upgrade to the latest release or manually upgrade the log4j jar files. -defunct- 1 Quote Link to comment Share on other sites More sharing options...
ekohn00 Posted December 21, 2021 Share Posted December 21, 2021 1 hour ago, Dunamivora said: Internal, backend services would be employee tools, nothing that concerns customers and customer services. and customer tools never get compromised in order to gain control of a network....... (sarcasm in case you can't tell) Quote Link to comment Share on other sites More sharing options...
-defunct- Posted December 21, 2021 Share Posted December 21, 2021 Just now, ekohn00 said: and customer tools never get compromised in order to gain control of a network....... (sarcasm in case you can't tell) ??? I would understand the sarcasm if it made sense. No customer tools, software, or services were impacted. The only issues were internal tools unrelated to anything to do with customers. Quote Link to comment Share on other sites More sharing options...
ekohn00 Posted December 21, 2021 Share Posted December 21, 2021 15 minutes ago, zaphod said: But for those of us on Unifi there is a vulnerability in the Unifi Controller software. You need to upgrade to the latest release or manually upgrade the log4j jar files. I didn't see anything for the controller, but the network app.... simple upgrade.... https://community.ui.com/releases/Security-Advisory-Bulletin-023-023/808a1db0-5f8e-4b91-9097-9822f3f90207 Quote Link to comment Share on other sites More sharing options...
ekohn00 Posted December 21, 2021 Share Posted December 21, 2021 5 minutes ago, Dunamivora said: ??? I would understand the sarcasm if it made sense. No customer tools, software, or services were impacted. The only issues were internal tools unrelated to anything to do with customers. A vulnerability need not have to be directly related to "a customer". Quote Link to comment Share on other sites More sharing options...
-defunct- Posted December 21, 2021 Share Posted December 21, 2021 15 minutes ago, ekohn00 said: A vulnerability need not have to be directly related to "a customer". Sure, we looked at situations that would indirectly impact customers as well and none existed. We don't use log4j. Are you indicating you feel vulnerable regardless of the reassurance? Quote Link to comment Share on other sites More sharing options...
DanITman Posted December 21, 2021 Share Posted December 21, 2021 You sure your SOLR driver search wasn't impacted? That is Java based and there is a public service for it. Quote Link to comment Share on other sites More sharing options...
-defunct- Posted December 21, 2021 Share Posted December 21, 2021 22 minutes ago, DanITman said: You sure your SOLR driver search wasn't impacted? That is Java based and there is a public service for it. According to our scanners, it was not. Quote Link to comment Share on other sites More sharing options...
DanITman Posted December 21, 2021 Share Posted December 21, 2021 Not sure what version you are using. https://solr.apache.org/security.html#apache-solr-affected-by-apache-log4j-cve-2021-44228 Quote Link to comment Share on other sites More sharing options...
-defunct- Posted December 21, 2021 Share Posted December 21, 2021 I'll have to review again, but the critical test (active exploit scanning) found nothing, so if it is a vulnerable version it is not configured in a way that allows the vulnerability. Quote Link to comment Share on other sites More sharing options...
msgreenf Posted December 21, 2021 Share Posted December 21, 2021 all 3 vulns that have been uncovered? Quote Link to comment Share on other sites More sharing options...
-defunct- Posted December 21, 2021 Share Posted December 21, 2021 Log4shell is the primary one that is concerning. The rest are only exploitable in custom configs. Acunetix, Nessus, and Crowdstrike have been good about keeping up with the vulns. Quote Link to comment Share on other sites More sharing options...
zaphod Posted December 21, 2021 Share Posted December 21, 2021 4 hours ago, ekohn00 said: I didn't see anything for the controller, but the network app.... simple upgrade.... https://community.ui.com/releases/Security-Advisory-Bulletin-023-023/808a1db0-5f8e-4b91-9097-9822f3f90207 Isn't the Unifi Network the same as the Controller? When they are saying "A vulnerable third-party library used in UniFi Network Version 6.5.53 and earlier (Log4J CVE-2021-44228) allows a malicious actor to control the application. " Isn't that the Unifi controller? I run the Unifi Controller in a Docker on my unRAID server and there has been discussion on how to fix this vulnerability on the unRAID Docker forums. Quote Link to comment Share on other sites More sharing options...
ekohn00 Posted December 22, 2021 Share Posted December 22, 2021 2 hours ago, zaphod said: Isn't the Unifi Network the same as the Controller? When they are saying "A vulnerable third-party library used in UniFi Network Version 6.5.53 and earlier (Log4J CVE-2021-44228) allows a malicious actor to control the application. " Isn't that the Unifi controller? I run the Unifi Controller in a Docker on my unRAID server and there has been discussion on how to fix this vulnerability on the unRAID Docker forums. I run a UDM-PRO. On the UDM-pro, it's broken down to "apps". I didn't see anything on the base controller, which is firmware on the UDM-PRO, but only the network module. The docker/"SW" implementations may be different...I can't remember if my cloud key has independent apps, or everything was updated at once. Quote Link to comment Share on other sites More sharing options...
DanITman Posted December 22, 2021 Share Posted December 22, 2021 Ubiquiti already produced patches and you should upgrade. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.