CVE-2020-8188
📋 TL;DR
CVE-2020-8188 is a privilege escalation vulnerability in UniFi Protect firmware where users with 'view only' permissions can execute custom commands to assign themselves unauthorized administrative roles. This affects UniFi Cloud Key Gen2 Plus and UniFi Dream Machine Pro/UNVR devices running vulnerable firmware versions.
💻 Affected Systems
- UniFi Cloud Key Gen2 Plus
- UniFi Dream Machine Pro
- UniFi Network Video Recorder (UNVR)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers with view-only access gain full administrative control over the UniFi Protect system, allowing them to modify configurations, access all video feeds, add/remove users, and potentially compromise the entire network.
Likely Case
Malicious insiders or compromised view-only accounts escalate privileges to administrative roles, gaining unauthorized access to surveillance systems and network management functions.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized role changes that can be detected and reversed before significant damage occurs.
🎯 Exploit Status
Exploitation requires authenticated access with view-only permissions. No public exploit code has been released.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: UniFi Protect v1.13.3 for Cloud Key Gen2 Plus, v1.14.10 for Dream Machine Pro/UNVR
Vendor Advisory: https://community.ui.com/releases/Security-advisory-bulletin-012-012/1bba9134-f888-4010-81c0-b0dd53b9bda4
Restart Required: Yes
Instructions:
1. Log into UniFi Protect web interface. 2. Navigate to Settings > System > Updates. 3. Check for available updates. 4. Apply UniFi Protect firmware update to v1.13.3 or v1.14.10. 5. System will automatically restart after update.
🔧 Temporary Workarounds
Remove view-only user accounts
allTemporarily remove all view-only user accounts until patching can be completed.
Restrict network access
allLimit access to UniFi Protect interface to trusted networks only using firewall rules.
🧯 If You Can't Patch
- Remove all view-only user accounts and use only administrative accounts
- Implement network segmentation to isolate UniFi Protect devices from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check UniFi Protect firmware version in web interface: Settings > System > Updates. If version is v1.13.2 or earlier for Cloud Key Gen2 Plus, or v1.14.9 or earlier for Dream Machine Pro/UNVR, system is vulnerable.Check Version:
No CLI command available. Check via web interface: Settings > System > UpdatesVerify Fix Applied:
After updating, verify firmware version shows v1.13.3 or higher for Cloud Key Gen2 Plus, or v1.14.10 or higher for Dream Machine Pro/UNVR.📡 Detection & Monitoring
Log Indicators:
- Unexpected user role changes
- View-only users executing administrative commands
- Multiple failed login attempts followed by successful privilege escalation
Network Indicators:
- Unusual API calls from view-only user accounts
- Traffic patterns indicating privilege escalation attempts
SIEM Query:
source="unifi-protect" AND (event_type="user_role_change" OR command_execution="true") AND user_role="view_only"🔗 References
- https://community.ui.com/releases/Security-advisory-bulletin-012-012/1bba9134-f888-4010-81c0-b0dd53b9bda4
- https://community.ui.com/releases/UniFi-Protect-1-13-3/f4be7d35-93a3-422b-8eef-122e442c00ba
- https://community.ui.com/releases/UniFi-Protect-1-14-10/48a8dbdd-b872-47fa-bbde-1d24ddf5d5b5
- https://community.ui.com/releases/Security-advisory-bulletin-012-012/1bba9134-f888-4010-81c0-b0dd53b9bda4
- https://community.ui.com/releases/UniFi-Protect-1-13-3/f4be7d35-93a3-422b-8eef-122e442c00ba
- https://community.ui.com/releases/UniFi-Protect-1-14-10/48a8dbdd-b872-47fa-bbde-1d24ddf5d5b5
