Vulnerability Description
We have recently released new version of AirMax AirOS firmware v6.3.0 for TI, XW and XM boards that fixes vulnerabilities found on AirMax AirOS v6.2.0 and prior TI, XW and XM boards, according to the description below:Attackers can abuse multiple end-points not protected against cross-site request forgery (CSRF), as a result authenticated users can be persuaded to visit malicious web pages, which allows attackers to perform arbitrary actions, such as downgrade the device's firmware to older versions, modify configuration, upload arbitrary firmware, exfiltrate files and tokens.Mitigation:Update to the latest AirMax AirOS firmware version available at the AirMax download page.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ui | Airos | <= 6.2.0 |
| Ui | Ag-Hp-2G16 | - |
| Ui | Ag-Hp-2G20 | - |
| Ui | Ag-Hp-5G23 | - |
| Ui | Ag-Hp-5G27 | - |
| Ui | Airgrid M | - |
| Ui | Airgrid M2 | - |
| Ui | Airgrid M5 | - |
| Ui | Ar | - |
| Ui | Ar-Hp | - |
| Ui | Bm2-Ti | - |
| Ui | Bm2Hp | - |
| Ui | Bm5-Ti | - |
| Ui | Bm5Hp | - |
| Ui | Is-M5 | - |
| Ui | Lbem5-23 | - |
| Ui | Litestation M5 | - |
| Ui | Locom2 | - |
| Ui | Locom5 | - |
| Ui | Locom9 | - |
Related Weaknesses (CWE)
References
- https://community.ui.com/releases/Security-advisory-bulletin-009-009/c45b6c35-2e
- https://community.ui.com/releases/airMAX-M-v6-3-0/c8d5dec9-4030-4d7e-b23f-6a5b35
- https://www.ui.com/download/airmax-mRelease Notes
- https://community.ui.com/releases/Security-advisory-bulletin-009-009/c45b6c35-2eVendor Advisory
- https://community.ui.com/releases/airMAX-M-v6-3-0/c8d5dec9-4030-4d7e-b23f-6a5b35Vendor Advisory
- https://community.ui.com/releases/Security-advisory-bulletin-009-009/c45b6c35-2e
- https://community.ui.com/releases/airMAX-M-v6-3-0/c8d5dec9-4030-4d7e-b23f-6a5b35
- https://www.ui.com/download/airmax-mRelease Notes
FAQ
What is CVE-2020-8168?
CVE-2020-8168 is a vulnerability with a CVSS score of 8.8 (HIGH). We have recently released new version of AirMax AirOS firmware v6.3.0 for TI, XW and XM boards that fixes vulnerabilities found on AirMax AirOS v6.2.0 and prior TI, XW and XM boards, according to the ...
How severe is CVE-2020-8168?
CVE-2020-8168 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-8168?
Check the references section above for vendor advisories and patch information. Affected products include: Ui Airos, Ui Ag-Hp-2G16, Ui Ag-Hp-2G20, Ui Ag-Hp-5G23, Ui Ag-Hp-5G27.