Ubiquiti Employee
UBNT-Matt
Posts: 5,286
Registered: ‎11-27-2007
Posts: 5286
Kudos: 2091
Solutions: 50
Contributions: 39
Registered: 11-27-2007

AirOS Security Exploit -- Updated Firmware

Hi All,
Today we have discovered a vulnerability which may grant remote users administrative access to Ubiquiti equipment running AirOS v3/4 and AirOS v5 without requiring authentication.
We have quickly fixed this issue and released an updated firmware with this vulnerability patched.
You can find the updated firmware here:
ubnt.com/support/downloads
WARNING: Custom firmwares provided by other forum users use on your own risk.
Affected versions:

  • 802.11 Products - AirOS v3.6.1/v4.0 (previous versions not affected)
  • AirMax Products - AirOS v5.x (all versions)

Updated versions are

  • v4.0.1 - 802.11 ISP Products
  • v5.3.5 - AirMax ISP Products
  • v5.4.5 - AirSync Firmware

We recommend anyone with AirOS devices accessible publicly (via HTTP) to upgrade as soon as possible to prevent this exploit from happening.
If you have any questions or require previous versions of firmware, please email us (support@ubnt.com).
Edit: We have developed a tool to assist with the removal of the worm. For more information, see the following few posts.
Ubiquiti Employee
UBNT-Matt
Posts: 5,286
Registered: ‎11-27-2007
Posts: 5286
Kudos: 2091
Solutions: 50
Contributions: 39
Registered: 11-27-2007

Re: AirOS Security Exploit -- Updated Firmware

Hi all,
There are two things here:

  • A vulnerability with the http server, allowing users to bypass authentication and run commands.
  • A worm that has been taking advantage of #1 to spread itself.

    The new firmware will prevent #1, which also prevents #2.
    If the worm has already presented itself, it will:
  • Rename admin.cgi to adm.cgi (you can check with web browser after logging in)
  • Create startup script in /etc/persistent (you can check by running ls -la /etc/persistent and looking for .skynet)

    We are working on a patch now that will remove the worm, but here's how to do it manually:
  • SSH into device
  • cd /etc/persistent
  • rm rc.poststart
  • rm -rf .skynet
  • cfgmtd -w -p /etc/
  • reboot

    This will not prevent the worm from coming back, you'll need the updated firmware to prevent this.
    -Matt
    Edit: Moved to beginning of thread
  • Ubiquiti Employee
    UBNT-Matt
    Posts: 5,286
    Registered: ‎11-27-2007
    Posts: 5286
    Kudos: 2091
    Solutions: 50
    Contributions: 39
    Registered: 11-27-2007

    Re: AirOS Security Exploit -- Updated Firmware

    We have developed a tool to assist with removing / patching devices for anyone that may be infected with the worm. This will remove any occurrences of the worm, and if desired, will automatically update the firmware.
    The tool may be found here:
    http://dl.ubnt.com/XN-fw-internal/tools/CureSkynetMalware-0.4.jar
    MD5 (CureSkynetMalware-0.4.jar) = 9310926b691b7f95e0ba2c973a5d09c2
    WARNING: Skynet removal tools provided by others (via e-mail, downloaded from unofficial ubnt.com website, etc) use on your own risk and be aware that it may be a new virus.
    Here is sample usage:
    $ java -jar CureSkynetMalware.jar
    Possible formats for IP(s):
    IP <192.168.1.1>
    IP list <192.168.1.1, 192.168.1.2>
    IP range <192.168.1.1-192.168.1.254>
    Enter IP(s): 10.100.10.2-10.100.10.3
    Possible actions:
    Check
    Check and Cure
    Check, Cure and Update
    Enter action <1|2|3>: 2
    Enter ssh port : 22
    Enter user name: ubnt
    Reuse password : y
    Processing ubnt@10.100.10.2:22 ...
    Password for ubnt@10.100.10.2:
    Checking...

    This will work for both v4 and v5 firmware versions. If you have any questions, please let us know.
    EDIT - Updated to v0.4 version, which fixed an issue when upgrading devices that causes them to be come unresponsive.
    Ubiquiti Employee
    UBNT-Matt
    Posts: 5,286
    Registered: ‎11-27-2007
    Posts: 5286
    Kudos: 2091
    Solutions: 50
    Contributions: 39
    Registered: 11-27-2007

    Re: AirOS Security Exploit -- Updated Firmware

    I can update them by aircontroll, but can not remove skynet one-byone. Anyway: any sighn of mass remover?

    If the devices already have the worm, you can also mass fix them with AirControl:
    ubnt.com/wiki/AirControl#Execute.2FSchedule_Device_Operations
    1) In AirControl, select multiple devices
    2) Right click, and select Tasks/Operations
    3) Choose Execute Command
    4) In command field, type "rm /etc/persistent/rc.poststart; rm -rf /etc/persistent/.skynet; cfgmtd -w -p /etc/; reboot;" -- no quotes
    5) Click Done
    Edit: Moved to beginning of thread
    Ubiquiti Employee
    UBNT-Matt
    Posts: 5,286
    Registered: ‎11-27-2007
    Posts: 5286
    Kudos: 2091
    Solutions: 50
    Contributions: 39
    Registered: 11-27-2007

    Re: AirOS Security Exploit -- Updated Firmware

    Hi all,
    We've made an SDK patch which can be used with all previous versions of the SDK to fix this issue. You can find the patch here:

    www.ubnt.com/downloads/XN-fw-internal/tools/lighttpd-mod-airos-exploit-fix.patch

    Let us know if you have any questions,

    -Matt
    Regular Member
    sxpert
    Posts: 678
    Registered: ‎03-20-2008
    Posts: 678
    Kudos: 44
    Solutions: 1
    Registered: 03-20-2008

    Re: AirOS Security Exploit -- Updated Firmware

    when will the SDK be available ?
    Emerging Member
    midnight_man
    Posts: 71
    Registered: ‎04-17-2011
    Posts: 71
    Kudos: 2
    Registered: 04-17-2011

    Re: AirOS Security Exploit -- Updated Firmware

    fast work, thanks

    http://www.wi-telecom.sk
    Internet / Data Service Provider
    New Member
    Light
    Posts: 20
    Registered: ‎09-20-2009
    Posts: 20
    Registered: 09-20-2009

    Re: AirOS Security Exploit -- Updated Firmware

    Hi,
    is it also deleting currently running skynet process ?
    Thanks
    Jan
    Ubiquiti Employee
    UBNT-Edmundas
    Posts: 3,620
    Registered: ‎05-13-2009
    Posts: 3620
    Kudos: 452
    Solutions: 32
    Registered: 05-13-2009

    Re: AirOS Security Exploit -- Updated Firmware

    Hi,
    is it also deleting currently running skynet process ?
    Thanks

    Jan


    It just prevents from accessing devices for that exploit. Tomorrow developers will prepare a tool to fix affected devices as well.

    -Edmundas
    Established Member
    rhauf
    Posts: 1,242
    Registered: ‎09-17-2010
    Posts: 1242
    Kudos: 249
    Solutions: 6
    Registered: 09-17-2010

    Re: AirOS Security Exploit -- Updated Firmware

    Thanks guys..
    i've been stressing on this all night.
    upgrading flash now.
    Established Member
    treichhart
    Posts: 2,216
    Registered: ‎01-05-2010
    Posts: 2216
    Kudos: 158
    Solutions: 2
    Registered: 01-05-2010

    Re: AirOS Security Exploit -- Updated Firmware

    Is this security update firmware will be including in future firmware updates down the road?
    Ubiquiti Employee
    UBNT-Matt
    Posts: 5,286
    Registered: ‎11-27-2007
    Posts: 5286
    Kudos: 2091
    Solutions: 50
    Contributions: 39
    Registered: 11-27-2007

    Re: AirOS Security Exploit -- Updated Firmware

    Is this security update firmware will be including in future firmware updates down the road?


    Yes, this will be included in all future firmware versions.

    -Matt
    Established Member
    knightmb
    Posts: 925
    Registered: ‎09-17-2010
    Posts: 925
    Kudos: 139
    Registered: 09-17-2010

    Re: AirOS Security Exploit -- Updated Firmware

    Thanks Ubnt Team, this was a very quick turn-around on the fix. Sorry the forum had to explode last night while everyone was asleep. :icon_mrgreen: But I have to give a tip of the hat to all the forum members because we all agreed to edit/censor our posts to prevent anyone else from getting quick information on how to exploit this until the Ubnt team had a chance to take a look at it.
    New Member
    noe
    Posts: 22
    Registered: ‎06-25-2010
    Posts: 22
    Registered: 06-25-2010

    Re: AirOS Security Exploit -- Updated Firmware

    Matt thank you for quick answer
    Regular Member
    luhiwu
    Posts: 336
    Registered: ‎11-21-2009
    Posts: 336
    Kudos: 15
    Registered: 11-21-2009

    Re: AirOS Security Exploit -- Updated Firmware

    Version number seems to be 5.3.5. with the dot at the end, just reporting it for cosmetic fix.
    Member
    milank
    Posts: 105
    Registered: ‎11-21-2008
    Posts: 105
    Kudos: 7
    Registered: 11-21-2008

    It works.

    I confirm...

    Will you, please, publish at least a patch file? We shouldn't be left waiting for an SDK as this patch is important for all your customers making use of any recent SDK...
    Established Member
    treichhart
    Posts: 2,216
    Registered: ‎01-05-2010
    Posts: 2216
    Kudos: 158
    Solutions: 2
    Registered: 01-05-2010

    Re: AirOS Security Exploit -- Updated Firmware

    Well the explode is still on a website dont forget that. The owner of the website needs to take the information off of his website.


    Thanks Ubnt Team, this was a very quick turn-around on the fix. Sorry the forum had to explode last night while everyone was asleep. :icon_mrgreen: But I have to give a tip of the hat to all the forum members because we all agreed to edit/censor our posts to prevent anyone else from getting quick information on how to exploit this until the Ubnt team had a chance to take a look at it.
    Ubiquiti Employee
    UBNT-Edmundas
    Posts: 3,620
    Registered: ‎05-13-2009
    Posts: 3620
    Kudos: 452
    Solutions: 32
    Registered: 05-13-2009

    Re: AirOS Security Exploit -- Updated Firmware

    Well the explode is still on a website dont forget that. The owner of the website needs to take the information off of his website.


    We were in contact with author and website administrator/owner, but he don't want to take it out or at least delete some parts, which explain how it works and remove the exploit itself... So we are doing everything to help you all to prevent your network devices from it.

    -Edmundas
    Emerging Member
    midnight_man
    Posts: 71
    Registered: ‎04-17-2011
    Posts: 71
    Kudos: 2
    Registered: 04-17-2011

    Re: AirOS Security Exploit -- Updated Firmware

    I hope, this was the last security problem. It messed up me pretty day...

    http://www.wi-telecom.sk
    Internet / Data Service Provider
    Emerging Member
    lukic
    Posts: 43
    Registered: ‎06-28-2008
    Posts: 43
    Kudos: 1
    Registered: 06-28-2008

    Re: AirOS Security Exploit -- Updated Firmware

    i would like to ask what did you last 14 days, because according to (server, where the exploit was published), you were contacted 14 days ago. I would like to appeal to upgrade EVERYBODY, not only those who had devices accessible publicly. No one can be sure if customer do not connect something unsecured to his CPE and share his access publicly..