New Member
Posts: 31
Registered: ‎10-29-2015
Kudos: 13

Hack Attack Port 10001 UDP - 485000 Ubiquiti devices vulnerable to new attack exploit (2019)

Its been known since at least the beginning of Feb that Ubiquti devices are vulnerable to a new attack vector.

So it turns out the hackers can use a Ubiquti device on port 10001 to do this attack.

Seems like many Ubiquiti  routers (Steve Gibson/Security Now) have already had firmware mods that indicate they have been reprogrammed - could this be something beyond this latest vulnerability?

Its easy to do this attack just by spoofing port 10001 UDP packets!

Why have I never received a security ALERT email from Ubiquiti about these things?

Why isn't something like this pinned in the community chat?

What is the news on the patch for this?

What is the mitigation in the mean time?

What devices does it affect exactly?

 

https://www.zdnet.com/article/over-485000-ubiquiti-devices-vulnerable-to-new-attack/

 

https://www.youtube.com/watch?v=4EjssM5egwY

Security Now with Steve Gibson (Episide:700 and Counting!)

at time of 1hr13min20sec they discuss this hack.

 

 

Senior Member
Posts: 3,065
Registered: ‎04-26-2016
Kudos: 1201
Solutions: 313

Re: Hack Attack Port 10001 UDP - 485000 Ubiquiti devices vulnerable to new attack exploit (2019)

[ Edited ]

May I suggest you do a search for this topic in this community first before starting a new one? No need to redo the whole discussion again.

 

 

 

 

New Member
Posts: 31
Registered: ‎10-29-2015
Kudos: 13

Re: Hack Attack Port 10001 UDP - 485000 Ubiquiti devices vulnerable to new attack exploit (2019)

I did! Can you provide a link please as I looked again and can only find old information about an attack last year.

New Member
Posts: 31
Registered: ‎10-29-2015
Kudos: 13

Re: Hack Attack Port 10001 UDP - 485000 Ubiquiti devices vulnerable to new attack exploit (2019)

And it doesn't change my point that there is no Alerts sent out to Ubiquiti clients or a pinned Post about this.

Or was there and I just didn't get it and I can't see the pinned post.

Senior Member
Posts: 3,065
Registered: ‎04-26-2016
Kudos: 1201
Solutions: 313

Re: Hack Attack Port 10001 UDP - 485000 Ubiquiti devices vulnerable to new attack exploit (2019)

That's because for Unifi this was already fixed in 2017. So there is nothing "new" about this. Man Happy

 

The article only proves that a lot of people do not update there devices and are exposing the admin interface of their devices to the open internet, which they shouldn't.

 

 

New Member
Posts: 31
Registered: ‎10-29-2015
Kudos: 13

Re: Hack Attack Port 10001 UDP - 485000 Ubiquiti devices vulnerable to new attack exploit (2019)

So all the news articles that are coming out about this are wrong and its all old from 2017?

 

https://blog.rapid7.com/2019/02/01/ubiquiti-discovery-service-exposures/

 

New Member
Posts: 31
Registered: ‎10-29-2015
Kudos: 13

Re: Hack Attack Port 10001 UDP - 485000 Ubiquiti devices vulnerable to new attack exploit (2019)

So if this really is old.. how long does it take to FIX - years for a vulnerability?

 

Read the twitter link:

https://twitter.com/troutman/status/1090212243197870081

Source of all this - 29th January 2019 ?????

 

Heads up! Ubiquiti networks devices are being remotely exploited, via port 10001 discovery service. Results in loss of device management, also being used as a weak UDP DDoS amplification attack: 56 bytes in, 206 bytes out.

#UBNT #Ubiquiti #IoTSecurity #DDoS

3:37 am - 29 Jan 2019


@troutman
Jan 29
Exploit reports going back to July of 2018, UBNT has not issued any official alerts or fixes yet, ~755k exposed UBNT devices in Shodan. Remediation method appears to be blocking UDP/TCP 10001 at your border and rebooting devices, but this can break IPSec VPN NAT traversal.

 

Then Ubiquiti says on the 29th Jan 2019:

 

Ubiquiti Networks - ‏Verified account
@user12345567
Jan 29
Replying to @troutman
Hi Jim, this is a known issue, and does not allow an attacker to gain control of the network. Please block port 10001 at the network perimeter for the time being. We are working on a permanent fix for this issue in an upcoming firmware release. Thank you.



@gonzopancho
Replying to @troutman
I love how they fail to acknowledge a problem.

Senior Member
Posts: 3,065
Registered: ‎04-26-2016
Kudos: 1201
Solutions: 313

Re: Hack Attack Port 10001 UDP - 485000 Ubiquiti devices vulnerable to new attack exploit (2019)

[ Edited ]

It is just one article that everyone is copying.

 

 

If you use Unifi and are using firmware 3.7.58 or newer there is nothing to worry about.

 

New Member
Posts: 31
Registered: ‎10-29-2015
Kudos: 13

Re: Hack Attack Port 10001 UDP - 485000 Ubiquiti devices vulnerable to new attack exploit (2019)

If its already fixed why does Ubiquti say this a few days ago?

 

Ubiquiti Networks - ‏Verified account
@ubnt
Jan 29
Replying to @troutman
Hi Jim, this is a known issue, and does not allow an attacker to gain control of the network. Please block port 10001 at the network perimeter for the time being. We are working on a permanent fix for this issue in an upcoming firmware release. Thank you.

New Member
Posts: 31
Registered: ‎10-29-2015
Kudos: 13

Re: Hack Attack Port 10001 UDP - 485000 Ubiquiti devices vulnerable to new attack exploit (2019)

Maybe UniFi has a patch but nothing else.

Would still like to confirm this with my own tests.

Member
Posts: 121
Registered: ‎09-17-2018
Kudos: 34
Solutions: 13

Re: Hack Attack Port 10001 UDP - 485000 Ubiquiti devices vulnerable to new attack exploit (2019)

This topic came up (again) last week (see https://community.ubnt.com/t5/UniFi-Routing-Switching/Ubiquiti-Discovery-Protocol-Information-Disclo... ).

 

However, as also mentioned in the linked thread, the underlying flaw was patched in late 2016/early 2017 (correct me if i'm wrong). If you look closely into your linked rapid7 article (meaning: more then just the title!) you can easily convince yourself that only about 500 of the 500.000 devices are UniFi products (and none of them are gateways).

New Member
Posts: 31
Registered: ‎10-29-2015
Kudos: 13

Re: Hack Attack Port 10001 UDP - 485000 Ubiquiti devices vulnerable to new attack exploit (2019)

And its still shocking that its taken ages to fix and where are all the security alerts to clients?

Where is Ubiquties website explaining all this, listing all products and what to do about it?

 

 

Member
Posts: 121
Registered: ‎09-17-2018
Kudos: 34
Solutions: 13

Re: Hack Attack Port 10001 UDP - 485000 Ubiquiti devices vulnerable to new attack exploit (2019)

To my, admittedly limited, knowledge, all UBNT products received Firmware Updates since then. In my understanding of responsible network administration its the job of the admin to keep their equipment up-to-date. Using a _years_ outdated patchlevel isn't UBNTs fault.

 

Further, as also noted in all of the mentioned articles, the security flaw isn't critical. You're not getting compromised or something. It's an attack vector targeting UBNT products as amplifiers to DDoS attacks to some third entitiy. The owner of the outdated UBNT product might have problems with availability (dropped VPN connections), but neither integrity or confidentiality are touched.

Member
Posts: 136
Registered: ‎11-20-2018
Kudos: 20
Solutions: 5

Re: Hack Attack Port 10001 UDP - 485000 Ubiquiti devices vulnerable to new attack exploit (2019)


@adminsupport wrote:

And it doesn't change my point that there is no Alerts sent out to Ubiquiti clients or a pinned Post about this.

Or was there and I just didn't get it and I can't see the pinned post.


If someone has products installed with exposed ports, then they are misconfigured to start with - sending an alert to customers that have opted to expose ports to the internet will not help. 

 

In the other thread, the unifi rep makes it clear that a device will not respond out the WAN port to a UDP packet on this port:

 

"if you opened up 10001 on your WAN_LOCAL rules. It would just be ignored. "

 

So you need to look at the vulnerability in context (this is the part about risk management). The exploit relies on unadopted devices with 10001 open - easy enough to mitigate right? Even the Rapid7 blog says their test was on a "mostly default device" - what does that mean?

 

There is a pinned post in the airmax forum https://community.ubnt.com/t5/airMAX-General-Discussion/airOS-airMAX-and-management-access/td-p/2654...

 

Member
Posts: 136
Registered: ‎11-20-2018
Kudos: 20
Solutions: 5

Re: Hack Attack Port 10001 UDP - 485000 Ubiquiti devices vulnerable to new attack exploit (2019)

And the end of the Rapid7 article says:

 

Rapid7 suggests that all affected entities audit their external exposure for these devices and restrict or control access to this service as appropriate, which could include firewall or ACL rules, or disabling the affected service using recommendations from Ubiquiti.

 

Note that they are referencing a UBNT post from 2013. 

 

And by recommending limiting external exposure this really does lump this into a low risk vulnerability.

New Member
Posts: 36
Registered: ‎03-02-2016
Kudos: 21
Solutions: 1

Re: Hack Attack Port 10001 UDP - 485000 Ubiquiti devices vulnerable to new attack exploit (2019)

I was wondering about this too. I just saw the video about this on security now. https://www.youtube.com/watch?v=u5YuzpVQL8M

 

With all the patches recently was this patch included? 

New Member
Posts: 1
Registered: ‎01-28-2019

Re: Hack Attack Port 10001 UDP - 485000 Ubiquiti devices vulnerable to new attack exploit (2019)

Yeah I’m here too because of that YouTube video. Has anything been done yet to fix this security flaw?

Highlighted
Member
Posts: 121
Registered: ‎09-17-2018
Kudos: 34
Solutions: 13

Re: Hack Attack Port 10001 UDP - 485000 Ubiquiti devices vulnerable to new attack exploit (2019)

There was a thread on this a couple of weeks ago that got answers for your questions: https://community.ubnt.com/t5/UniFi-Routing-Switching/Hack-Attack-Port-10001-UDP-485000-Ubiquiti-dev...

New Member
Posts: 5
Registered: ‎01-16-2018
Kudos: 1

Re: Hack Attack Port 10001 UDP - 485000 Ubiquiti devices vulnerable to new attack exploit (2019)

The link you posted is a link to this thread?

Member
Posts: 121
Registered: ‎09-17-2018
Kudos: 34
Solutions: 13

Re: Hack Attack Port 10001 UDP - 485000 Ubiquiti devices vulnerable to new attack exploit (2019)

Exactly!

 

"Why?" you may ask... Well, the answer _is given_ in the same thread this guy was posting his question (and maybe never came back to look for answers). It's the more subtle form of "Why the hack are you re-posting the same question as the thread title, without reading the actual responses?"