The UniFi OS Server, which is being phased in as a replacement for the standalone Network Controller by UniFi, now offers enhanced integration with Docker/Kubernetes environments through a project by lemker. The primary vulnerability arises from running the UniFi OS Server in an unprivileged container setup within Docker, where previous versions required privileged access due to systemd requirements inside Docker containers. This new setup reduces security risks associated with privileged containers but still necessitates careful configuration and monitoring. Recent updates include support for multi-architecture systems (amd64/arm64), making the deployment more versatile across different hardware types. Despite these improvements, engineers and sysadmins must remain vigilant regarding container security practices to prevent unauthorized access or exploitation of misconfigurations.
- UniFi OS Server
- Update to the latest version of UniFi OS Server available through Docker Compose example.
- Ensure Docker containers are run in unprivileged mode as per recent updates.
- Review and secure configuration files such as docker-compose.yml for specific mount points and cgroup settings.
Impact is moderate on homelab stacks using Docker/Kubernetes. Ensure that any UniFi OS Server deployment uses the latest Docker Compose file, focusing on unprivileged container configurations.