Login Sign Up

CVE-2021-33820

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability allows attackers to perform a denial-of-service attack against UniFi Protect G3 FLEX cameras by flooding them with TCP SYN packets, exhausting web service resources. It affects users of UniFi Protect G3 FLEX cameras with vulnerable firmware versions. The attack can render the camera's web interface inaccessible.

💻 Affected Systems

Products:
  • UniFi Protect G3 FLEX Camera
Versions: UVC.v4.30.0.67 and likely earlier versions
Operating Systems: Camera firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web service component of the camera firmware. All cameras running vulnerable firmware are affected regardless of configuration.

📦 What is this software?

Camera G3 Flex Firmware by Ui

View all CVEs affecting Camera G3 Flex Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Camera becomes completely unresponsive, losing all remote access and monitoring capabilities until manually rebooted or network traffic stops.

🟠

Likely Case

Web interface becomes inaccessible, preventing configuration changes and live viewing, though camera may continue recording locally.

🟢

If Mitigated

Minimal impact with proper network segmentation and rate limiting in place.

🌐 Internet-Facing: HIGH - Directly exposed cameras can be easily targeted from anywhere on the internet.
🏢 Internal Only: MEDIUM - Requires internal network access but still exploitable by malicious insiders or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Simple TCP SYN flood attack using tools like hping3. No authentication required. Public proof-of-concept demonstrates the attack methodology.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Later versions than UVC.v4.30.0.67 (check UniFi Protect updates)

Vendor Advisory: https://community.ui.com/releases

Restart Required: Yes

Instructions:

1. Log into UniFi Protect controller 2. Navigate to Devices 3. Select affected camera 4. Check for firmware updates 5. Apply available update 6. Camera will restart automatically

🔧 Temporary Workarounds

Network Rate Limiting

linux

Configure network devices to limit TCP SYN packets to camera IP addresses

# Example iptables rule for Linux: iptables -A INPUT -p tcp --syn -m limit --limit 10/s -j ACCEPT
# Example iptables rule: iptables -A INPUT -p tcp --syn -j DROP

Network Segmentation

all

Place cameras on isolated VLAN with restricted access

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate cameras from untrusted networks
  • Deploy network-based DDoS protection or rate limiting at firewall/network edge

🔍 How to Verify

Check if Vulnerable:

Check camera firmware version in UniFi Protect controller under Devices > Camera > Settings > About

Check Version:

Check via UniFi Protect web interface or SSH to camera if enabled: show version

Verify Fix Applied:

Verify firmware version is newer than UVC.v4.30.0.67 and test web interface accessibility under normal and simulated load

📡 Detection & Monitoring

Log Indicators:

  • High rate of TCP SYN packets in firewall logs
  • Camera web service crash/restart logs
  • Unusual traffic patterns to camera IP

Network Indicators:

  • Spike in TCP SYN packets to camera port 80/443
  • Unusual traffic from single source to camera
  • Camera becoming unresponsive to legitimate requests

SIEM Query:

source_ip="*" AND dest_ip="camera_ip" AND protocol="TCP" AND flags="SYN" | stats count by source_ip | where count > 1000

📊 Metadata

CVE ID: CVE-2021-33820
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Published: June 18, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON