back to article Ubiquiti, go write on the board 100 times, 'I must validate input data before using it'... Update silently breaks IDS/IPS

Ubiquiti got a lesson in never blindly trusting external input this month. Its intrusion detection and prevention system (IDS/IPS) feature on its gateway hardware fetched a set of rules from an outside source that were broken, and rather than ignore the invalid data and fall back to known-valid data, it simply silently stopped …

  1. This post has been deleted by its author

  2. This post has been deleted by its author

  3. This post has been deleted by its author

  4. Mike 137 Silver badge

    "This is a beta service for [their security] products"

    Two points:

    [1] a beta security service operating live?

    [2] just shows what we all guessed - security appliance software development is as sloppy as it is for everything else.

    So much for "cyber security".

    1. Sandtitz Silver badge

      Re: "This is a beta service for [their security] products"

      "[1] a beta security service operating live?"

      Many security product manufacturers have opt-in beta channels for those who really like to test upcoming features. As long as Ubiquiti has clearly flagged (?) this feature with an appopriate warning, I would have no problem with it.

      "[2] just shows what we all guessed - security appliance software development is as sloppy as it is for everything else."

      Perhaps it is, but drawing conclusions from a single incident is unwise.

      Also, grouping all software development in the same "sloppy basket" doesn't seem to reflect reality.

      1. ckm5

        Re: "This is a beta service for [their security] products"

        I use a USG and IDS/IPS is clearly labeled as beta. I don't have it turned on as a slows the device down 10x and, after running it for a month, I just wasn't picking up any 'threats'.

    2. vtcodger Silver badge

      Re: "This is a beta service for [their security] products"

      Hey, it probably sort of works most of the time. And the alternatives are likely no better. It's sort of like a guard dog that is more interested in chasing squirrels than in intimidating intruders. Probably better than nothing.

    3. fidodogbreath

      Re: "This is a beta service for [their security] products"

      I use and like Ubiquiti gear, but any longtime user will tell you that all of their Unifi "stable" releases are betas. Unless a new version contains a specific fix that I need urgently, I let their releases soak for a month or two before installing on production equipment.

      Fortunately, their forums and r/ubiquiti are filled with masochists super-conscientious admins who install every release as soon as it's published and post about the aftermath result.

  5. EnviableOne

    dont they know the 11th commandment, "Thou shalt ALWAYS sanitiser your inputs"

    1. NetBlackOps

      and, of late, your hands. Which isn't a bad reminder.

    2. Anonymous Coward


      11 is too low. I'd put it in the top five.

      Thou shalt renew thy domain names and security certificates.

      Thou shalt patch vulnerabilities.

      Thou shalt document.

      Thou shalt check your inputs.

      Thou shalt not covet your neighbor's workstation or monitors or chair.

  6. Dvon of Edzore
    Thumb Down

    Business as Usual

    Ubiquiti leaves promised and advertised features as "beta" for years. Apparently "beta" on their planet means both "broken" and "working as designed". If it filled a checkbox in a pseudo-review and got you to buy the product, it's working as designed, and by calling it "beta" they don't have to actually deliver a working component.

    They also string customers along with "next update" promises until they declare the item End-of-Life and drop even pretend support. They're permanently on my Never Again list after spending resources to redo the website instead of actual feature development.

    1. Gannet

      Re: Business as Usual

      That's a little harsh, they've added a whole augmented reality rack view so you don't even have to look at the management console to see what's plugged into your switches.

      It's not like anyone actually uses layer 3 in production?

      Mine's the one with the inter-vlan ACL's in the pocket.

    2. -tim

      Re: Business as Usual

      Their dashboard has plenty of useless data. So the site downloaded 90 gb of data? Over what time frame as it isn't mentioned except in conflicting forum posts. Throw in a white text on black design mixed with black text on white for a nearly unreadable system and version specific chrome requirements make their web interface look amateurish. Their support forums tend to have their search engine optimization around the wrong way so looking for a problem will result in the 5 year old solution, not the current one. If they put google parseable dates in their metadata would fix that problem. One USG has dropped out 4 times in the last month requiring power resets. That was after replacing a unit that died more than a dozen times over the last few months and it usually happens in the wee hours of the morning. Being a "cloud" device, there is no viability into it and a serious lack of logs that can be pulled off it after a reboot. Someone needs to tell them about a watchdog feature. Their radios do tend to work well but the USG seems like a joke of a product and I'll be looking for a replacement if they can't find and fix the problem real soon as it isn't up to the task.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like