A potential vulnerability in nearly 500,000 Ubiquiti devices is under active exploitation, according to security researchers.
The first warning came from researcher Jim Troutman, consultant and director of the Northern New England Neutral Internet Exchange (NNENIX), who tweeted:
— Jim Troutman (@troutman) January 29, 2019
Heads up! Ubiquiti networks devices are being remotely exploited, via port 10001 discovery service. Results in loss of device management, also being used as a weak UDP DDoS amplification attack: 56 bytes in, 206 bytes out. #UBNT #Ubiquiti #IoTSecurity #DDoS
Although Ubiquiti Networks was quick to respond that a "permanent fix" for this issue is in the works, other researchers have joined the chorus of concerns.
Hi Jim, this is a known issue, and does not allow an attacker to gain control of the network. Please block port 10001 at the network perimeter for the time being. We are working on a permanent fix for this issue in an upcoming firmware release. Thank you.— Ubiquiti Networks (@ubnt) January 29, 2019
Researchers at Rapid 7 also commented on the issue, pointing out that the protocol suffers from well-documented UDP amplification vulnerabilities: "With such a large quantity of potentially vulnerable devices exposed, a DoS harnessing the available bandwidth and power of these systems could be used to conduct an attack in excess of 1Tbps, which is a crippling amount of traffic to all but the most fortified infrastructure."
The apparent vulnerability, in a service on 10001/UDP, is used for device discovery to facilitate easily locating of Ubiquiti devices in a managed environment, according to Rapid 7. It is this functionality that is being abused with a simple 4-byte message that elicits a large response including the name, model, firmware version, IPs, MACs, and sometimes the ESSID if it is a wireless device.
"There has been some discussion lately about a bug in airOS which can result in management access to airOS devices becoming inoperable until these devices are rebooted. This issue appears to be caused by external access to airOS devices using port 10001. As a temporary workaround for this issue, while it is being investigated and resolved by the development team, network operators can block port 10001 at the network perimeter", said an official advisory published by Ubiquiti.
Matt Walmsley, EMEA director at Vectra, told SC Media UK: "Making device discovery ports and management interfaces available to public IP address ranges is never going to end well. This is an example of simplicity being traded against security, and in many cases, I suspect unknowingly so.
"Security architecture is as much to blame as the equipment manufacturer, if not more so. My advice would be to block access to your Ubiquiti devices from public IPs immediately, and if you’re really concerned, look for UDP port 10001 sweep reconnaissance behaviours inside your network from unexpected hosts. Whilst the currently accessible Ubiquiti devices visible on the internet could be used to build a DDoS attack, their performance (56 bytes in = 206 bytes out) per device isn’t that significant – there are easier and more efficient ways to build a DDoS engine."
Rapid7’s Sonar project was used to scan for vulnerable Ubiquiti devices, finding a total of 498,624 unique IPv4s with port 10001/UDP open, 487,021 unique IPv4s confirmed to be speaking this discovery protocol and 486,388 unique physical devices based on MAC address.
Geographically there were large concentrations in Brazil, followed by the United States and Spain.