CVE-2023-31997 – UniFi OS 3.1 introduces a misconfiguration that... (How to Fix)

Q: What is the severity of CVE-2023-31997?

CVE-2023-31997 has a CVSS score of 9.0 (CRITICAL). UniFi OS 3.1 introduces a misconfiguration that allows local network users to directly access MongoDB on affected Cloud Key devices. This vulnerability affects Cloud Key Gen2 and Cloud Key Gen2 Plus devices running UniFi OS 3.1 with the UniFi Network application.

📋 TL;DR

UniFi OS 3.1 introduces a misconfiguration that allows local network users to directly access MongoDB on affected Cloud Key devices. This vulnerability affects Cloud Key Gen2 and Cloud Key Gen2 Plus devices running UniFi OS 3.1 with the UniFi Network application.

💻 Affected Systems

Products:

Cloud Key Gen2
Cloud Key Gen2 Plus

Versions: UniFi OS 3.1

Operating Systems: UniFi OS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects devices running UniFi OS 3.1 with UniFi Network application installed. Other UniFi devices and versions are not affected.

📦 What is this software?

Unifi Os by Ui

View all CVEs affecting Unifi Os →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access, modify, or delete the MongoDB database containing network configuration, user data, and potentially credentials, leading to complete network compromise.

🟠

Likely Case

Local attackers could extract sensitive network configuration data, modify network settings, or disrupt network services.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to authorized local users who shouldn't have database access.

🌐 Internet-Facing: LOW - The vulnerability requires local network access, not internet exposure.

🏢 Internal Only: HIGH - Any user or compromised device on the local network can potentially exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Direct MongoDB access requires no authentication, making exploitation straightforward for attackers with local network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: UniFi OS 3.1.16 or later

Vendor Advisory: https://community.ui.com/releases/Security-Advisory-Bulletin-032-032/e57301f4-4f5e-4d9f-90bc-71f1923ed7a4

Restart Required: Yes

Instructions:

1. Log into UniFi OS console. 2. Navigate to Settings > Updates. 3. Apply available update to UniFi OS 3.1.16 or later. 4. Reboot the device after update completes.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Cloud Key devices on a separate VLAN or network segment to limit local access.

Firewall Rules

all

Block MongoDB port (27017) access from unauthorized network segments.

🧯 If You Can't Patch

Isolate the Cloud Key on a dedicated management VLAN with strict access controls
Implement network monitoring for unauthorized access attempts to MongoDB port 27017

🔍 How to Verify

Check if Vulnerable:

Check UniFi OS version in console settings. If version is exactly 3.1 and device is Cloud Key Gen2/Gen2 Plus, it's vulnerable.

Check Version:

Check version in UniFi OS web interface under Settings > Updates

Verify Fix Applied:

Verify UniFi OS version is 3.1.16 or later after update.

📡 Detection & Monitoring

Log Indicators:

Unauthorized MongoDB connection attempts
Unusual database queries from local network

Network Indicators:

TCP connections to port 27017 from unauthorized IPs
MongoDB protocol traffic from unexpected sources

SIEM Query:

source_port=27017 AND (src_ip NOT IN [authorized_management_ips])

📊 Metadata

CVE ID: CVE-2023-31997

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-863

Published: July 1, 2023

Last Updated: November 26, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-31997, you might also want to check these: