Ubiquiti Major Exploit AirOS v3.6.1/v4.0/v5.x
Affected versions:
802.11 Products – AirOS v3.6.1/v4.0 (previous versions not affected)
AirMax Products – AirOS v5.x (all versions)
Updated versions are
v4.0.1 – 802.11 ISP Products
v5.3.5 – AirMax ISP Products
v5.4.5 – AirSync Firmware
Apparently there is a confirmed exploit that is installing botnet software on affected devices. If your devices are publicly accessible and have the versions listed installed, UPDATE NOW!
Link to the official forum post.
Link to the update site.
In the meantime, here are some firewall rules that will protect your radios until you can get them updated. These are designed for Mikrotik routers…because what else would you be using as your border router(this is designed to run at your internet border)? The exploit appears to be a flaw in the admin.cgi file(CORRECTION…IT IS ALL PAGES SO WE WILL BLOCK ALL CGI). This is a layer 7 with accompanying firewall rule to drop access to this file.
Layer7 Inspection:
1 2 | /ip firewall layer7-protocol add name=ubnt-fix regexp="^.*\\.cgi.*\$" |
Firewall Rule: (change in-interface to whatever you ISP interface is)
1 2 3 | /ip firewall filter
add action=drop chain=forward disabled=no src-address-list=!ubnt-admin-allow \
dst-port=80 in-interface=ether1 layer7-protocol=ubnt-fix protocol=tcp |
Optional Bypass from specific addresses:
1 2 | /ip firewall address-list add address=1.1.1.1 disabled=no list=ubnt-admin-allow |
Thanks for the heads up JJ.
***Fix from the UBNT Forum***
Originally Posted by UBNT-Matt
If the devices already have the worm, you can also mass fix them with AirControl:
http://ubnt.com/wiki/AirControl#Exec…ice_Operations
1) In AirControl, select multiple devices
2) Right click, and select Tasks/Operations
3) Choose Execute Command
4) In command field, type “rm /etc/persistent/rc.poststart; rm -rf /etc/persistent/.skynet; cfgmtd -w -p /etc/; reboot;” — no quotes
5) Click Done
*******************************
I was the one who tipped off James about this issue because last night the ubnt forum blew up on this security breach.
@Tim
Thanks for cluing us in sir! I found out about it only about 25 minutes before I made the post…I’d love to get a heads up next time too 😉
Does anyone got the source or the files that install the exploit? Reading the post on the ubnt forum it seems to be a worm right?
login with ssh…
rm /etc/persistent/rc.poststart
rm -rf .skynet
save
reboot
And rename adm.cgi for admin.cgi ..
Greetz From Chile
It appears the AirCams are also affected… tested on v1.1 this morning.
thanks, but the reg-expr. seems not to work. (ROS 5.x)
we use DST-ADDRESS or DST-Address List
/ip firewall filter
add action=drop chain=forward disabled=no src-address-list=!ubnt-admin-allow \
dst-port=80 in-interface=ether1 dst-address-list=block-ubnt-admin protocol=tcp
or
/ip firewall filter
add action=drop chain=forward disabled=no src-address-list=!ubnt-admin-allow \
dst-port=80 in-interface=ether1 dst-address=x.y.v.w/z protocol=tcp
greetings!!!
@Axel
Indeed sir, a straight firewall block of port 80 traffic would be simple, but too easy 😉 The regex should block CGI access while allowing other web traffic. How was it affecting your traffic?
@Daniel
Thanks for the update sir!
@Freddy
Thank you sir.
@Riccardo
I know is out there, but I won’t link to it. I try not to give direct access to exploit code. 🙂