Skip to content
Dec 19 / Greg

Ubiquiti Major Exploit AirOS v3.6.1/v4.0/v5.x

Affected versions:
802.11 Products – AirOS v3.6.1/v4.0 (previous versions not affected)
AirMax Products – AirOS v5.x (all versions)
Updated versions are
v4.0.1 – 802.11 ISP Products
v5.3.5 – AirMax ISP Products
v5.4.5 – AirSync Firmware

Apparently there is a confirmed exploit that is installing botnet software on affected devices. If your devices are publicly accessible and have the versions listed installed, UPDATE NOW!

Link to the official forum post.
Link to the update site.

In the meantime, here are some firewall rules that will protect your radios until you can get them updated. These are designed for Mikrotik routers…because what else would you be using as your border router(this is designed to run at your internet border)? The exploit appears to be a flaw in the admin.cgi file(CORRECTION…IT IS ALL PAGES SO WE WILL BLOCK ALL CGI). This is a layer 7 with accompanying firewall rule to drop access to this file.

Layer7 Inspection:

1
2
/ip firewall layer7-protocol
add name=ubnt-fix regexp="^.*\\.cgi.*\$"

Firewall Rule: (change in-interface to whatever you ISP interface is)

1
2
3
/ip firewall filter
add action=drop chain=forward disabled=no src-address-list=!ubnt-admin-allow \
    dst-port=80 in-interface=ether1 layer7-protocol=ubnt-fix protocol=tcp

Optional Bypass from specific addresses:

1
2
/ip firewall address-list
add address=1.1.1.1 disabled=no list=ubnt-admin-allow

Thanks for the heads up JJ.

***Fix from the UBNT Forum***
Originally Posted by UBNT-Matt
If the devices already have the worm, you can also mass fix them with AirControl:

http://ubnt.com/wiki/AirControl#Exec…ice_Operations
1) In AirControl, select multiple devices
2) Right click, and select Tasks/Operations
3) Choose Execute Command
4) In command field, type “rm /etc/persistent/rc.poststart; rm -rf /etc/persistent/.skynet; cfgmtd -w -p /etc/; reboot;” — no quotes
5) Click Done
*******************************

10 Comments

leave a comment
  1. Tim Reichhart / Dec 19 2011

    I was the one who tipped off James about this issue because last night the ubnt forum blew up on this security breach.

  2. Greg / Dec 19 2011

    @Tim
    Thanks for cluing us in sir! I found out about it only about 25 minutes before I made the post…I’d love to get a heads up next time too 😉

  3. Riccardo Giuntoli / Dec 20 2011

    Does anyone got the source or the files that install the exploit? Reading the post on the ubnt forum it seems to be a worm right?

  4. freddyx / Dec 20 2011

    login with ssh…

    rm /etc/persistent/rc.poststart
    rm -rf .skynet
    save
    reboot

    And rename adm.cgi for admin.cgi ..

    Greetz From Chile

  5. Daniel Allin / Dec 20 2011

    It appears the AirCams are also affected… tested on v1.1 this morning.

  6. Axel / Dec 21 2011

    thanks, but the reg-expr. seems not to work. (ROS 5.x)

    we use DST-ADDRESS or DST-Address List

    /ip firewall filter
    add action=drop chain=forward disabled=no src-address-list=!ubnt-admin-allow \
    dst-port=80 in-interface=ether1 dst-address-list=block-ubnt-admin protocol=tcp

    or

    /ip firewall filter
    add action=drop chain=forward disabled=no src-address-list=!ubnt-admin-allow \
    dst-port=80 in-interface=ether1 dst-address=x.y.v.w/z protocol=tcp

    greetings!!!

  7. Greg / Dec 21 2011

    @Axel
    Indeed sir, a straight firewall block of port 80 traffic would be simple, but too easy 😉 The regex should block CGI access while allowing other web traffic. How was it affecting your traffic?

  8. Greg / Dec 21 2011

    @Daniel
    Thanks for the update sir!

  9. Greg / Dec 21 2011

    @Freddy
    Thank you sir.

  10. Greg / Dec 21 2011

    @Riccardo
    I know is out there, but I won’t link to it. I try not to give direct access to exploit code. 🙂

Leave a Comment

 

*