CVE-2021-22882 – This vulnerability allows attackers to spoof ca... (How to Fix)

📋 TL;DR

This vulnerability allows attackers to spoof camera devices and send malicious data to UniFi Protect controllers, causing denial-of-service crashes. It affects UniFi Protect network video recorder systems running vulnerable versions. Organizations using UniFi Protect for security camera management are at risk.

💻 Affected Systems

Products:

Ubiquiti UniFi Protect

Versions: All versions before v1.17.1

Operating Systems: Ubiquiti's custom OS on UniFi Protect appliances

Default Config Vulnerable: ⚠️ Yes

Notes: Affects UniFi Protect Network Video Recorder (NVR) appliances and software installations managing UniFi cameras.

📦 What is this software?

Unifi Protect Controller by Ui

View all CVEs affecting Unifi Protect Controller →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Continuous DoS attacks could render the UniFi Protect controller completely unavailable, disrupting all camera monitoring and recording functions for extended periods.

🟠

Likely Case

Intermittent controller crashes requiring manual restarts, causing temporary loss of camera feeds and recording gaps during security incidents.

🟢

If Mitigated

With proper network segmentation and updated software, impact is limited to isolated network segments with minimal disruption.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the UniFi Protect controller but no authentication. Attack tools for spoofing cameras are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.17.1 and later

Vendor Advisory: https://community.ui.com/releases/Security-advisory-bulletin-017-017/071141e5-bc2e-4b71-81f3-5e499316fcee

Restart Required: Yes

Instructions:

1. Log into UniFi Protect web interface
2. Navigate to Settings > Updates
3. Check for available updates
4. Install v1.17.1 or later
5. System will automatically restart after update

🔧 Temporary Workarounds

Network Segmentation

all

Isolate UniFi Protect controller on separate VLAN with strict firewall rules limiting camera communication

Access Control Lists

all

Implement ACLs to restrict which IP addresses can communicate with UniFi Protect controller

🧯 If You Can't Patch

Implement strict network segmentation to isolate UniFi Protect controller from untrusted networks
Deploy network monitoring to detect spoofed camera traffic patterns and block malicious IPs

🔍 How to Verify

Check if Vulnerable:

Check UniFi Protect version in web interface under Settings > Updates. If version is below 1.17.1, system is vulnerable.

Check Version:

No CLI command available. Must check via UniFi Protect web interface.

Verify Fix Applied:

After updating, verify version shows 1.17.1 or higher in Settings > Updates. Test camera connectivity remains functional.

📡 Detection & Monitoring

Log Indicators:

Unusual camera registration attempts
Controller crash/restart logs
Multiple failed camera authentication attempts from same source

Network Indicators:

Spoofed camera MAC addresses
Unusual UDP/TCP traffic to UniFi Protect ports from non-camera devices
High volume of camera registration packets

SIEM Query:

source="unifi-protect" AND (event_type="crash" OR event_type="restart") OR (camera_registration_failure > threshold)

📊 Metadata

CVE ID: CVE-2021-22882

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: February 23, 2021

Last Updated: November 21, 2024

🔗 References

https://community.ui.com/releases/Security-advisory-bulletin-017-017/071141e5-bc2e-4b71-81f3-5e499316fcee Vendor Advisory
https://hackerone.com/reports/1008579 Third Party Advisory
https://community.ui.com/releases/Security-advisory-bulletin-017-017/071141e5-bc2e-4b71-81f3-5e499316fcee Vendor Advisory
https://hackerone.com/reports/1008579 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22882, you might also want to check these: