Auteur Sujet: brèche de sécurité "catastrophique' chez Ubiquiti  (Lu 2387 fois)

0 Membres et 1 Invité sur ce sujet

kgersen

  • Modérateur
  • Abonné Bbox fibre
  • *
  • Messages: 9 078
  • Paris (75)
brèche de sécurité "catastrophique' chez Ubiquiti
« le: 30 mars 2021 à 21:40:21 »
A confirmer mais a priori gros problème de sécurité chez Ubiquiti:

https://krebsonsecurity.com/2021/03/whistleblower-ubiquiti-breach-catastrophic/


alain_p

  • Abonné Free fibre
  • *
  • Messages: 16 168
  • Delta S 10G-EPON sur Les Ulis (91)
brèche de sécurité "catastrophique' chez Ubiquiti
« Réponse #1 le: 30 mars 2021 à 22:22:36 »
Et ce qui est peut être le plus scandaleux dans l'histoire, d'après les commentaires, c'est que Ubiquiti a récemment, lors d'une mise à jour de firmware de ses produits, forcé ses utilisateurs à stocker leurs identifiants dans leur cloud cloudkey (donc chez AWS), rendant impossible une authentification locale. Cela pourrait leur coûter très cher...

Citer
Was doing setup of a new CK Gen2 Pro last night, was part way through then decided to update firmware to current. Which is 2.0.24 as of this writing. Was shocked to find that I was then forced into performing part of setup again, and forced into using SSO via UI.Com account to login! I have seen other comments in community on this, users reporting not being able to use local login. Answer being login via SSO with your UI.Com account, then toggle remote access off/on. Which is fine for those who still want local access, and don't take issue with forced tethering of device to UI.Com.

https://community.ui.com/questions/Future-of-CloudKey-and-ability-to-run-as-a-local-only-appliance-With-OUT-tether-to-UI-Com-cloud-ser/8365bee6-4ac3-4589-8d92-3985787bbddc


Invarion

  • Abonné MilkyWan
  • *
  • Messages: 131
  • Montpellier 34
brèche de sécurité "catastrophique' chez Ubiquiti
« Réponse #2 le: 30 mars 2021 à 22:32:17 »
Citer
Adam says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee
On parie combien qu'ils vont sortir la carte du "stagiaire"  ::)

kgersen

  • Modérateur
  • Abonné Bbox fibre
  • *
  • Messages: 9 078
  • Paris (75)
brèche de sécurité "catastrophique' chez Ubiquiti
« Réponse #3 le: 31 mars 2021 à 09:12:13 »
des anciens employés se lachent:

Citer
I am 100% not surprised. I spent a year working for Ubiquiti, running the Network Controller team.
Trust me, this whistle-blower "Adam" (I have a few suspicions of who it actually is), toned it down.

The reality is much much worse.


un ex collègue de lui répondre:

Citer
I worked at Ubiquiti while you were there. I can confirm that the company was going downhill fast.
The US offices were starting to feel empty because so many people were leaving the company. Only place I've ever worked where engineers would quit before they got another job.

Saddest part was all the wasted potential. There were good engineers making good products at Ubiquiti only a few years ago. Once UniFi exploded in popularity the CEO started trying to micromanage everything and it all started falling apart.

source: https://news.ycombinator.com/item?id=26638145&p=2



mattmatt73

  • Expert.
  • Abonné Bbox fibre
  • *
  • Messages: 7 338
  • vancia (69)
brèche de sécurité "catastrophique' chez Ubiquiti
« Réponse #4 le: 31 mars 2021 à 15:32:34 »
mais qui va être le nouveau ubiquiti alors ?