Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
Veteran Member
Posts: 5,376
Registered: ‎08-26-2009
Kudos: 1604
Solutions: 50

Re: 5.6.3 and 5.6.4 Vulnerability ?

Is your "private" network accessible from your hacked public radios? Not so private, eh?

 

Why is everyone using such weak passwords that these buffoons have hacked you?

 

This is really sad. I'm crying.

Ubiquiti Employee
Posts: 9,023
Registered: ‎11-27-2012
Kudos: 2569
Solutions: 574
Contributions: 73

Re: 5.6.3 and 5.6.4 Vulnerability ?


MLCraig wrote:

We do not have air control and we have been hacked as well. I need some assistance with stopping this. Not only were all our publicly accessable devices hit so were the devices on our private network.


Do you know what firmware version these units are on?

UBNT_Alternate_Logo.png
Ubiquiti Networks airMAX Support Team

Check out our ever-evolving Help Center for answers to many common questions!

Emerging Member
Posts: 65
Registered: ‎09-26-2014
Kudos: 7
Solutions: 1

Re: 5.6.3 and 5.6.4 Vulnerability ?

[ Edited ]

I do not think it's a password issue, I'm not certain but it was probably a web server exploit.

 

Although hackers could get from hacked public radios to private ones, I don't think they would spend the time,

this seems like a fairly automated hack to me, because if a web port was changed the hack didn't happen,

it takes 20 seconds of work to figure out the new web port to exploit.

 

There's no reason to believe it had anything to do with AC1 or AC2, that was not the case,

in fact the exploiters didn't know about any AC1/AC2 public keys, otherwise they would remove them.

 

Member
Posts: 207
Registered: ‎07-06-2012
Kudos: 15

Re: 5.6.3 and 5.6.4 Vulnerability ?

looks like we did have an old unused aircontrol instance on one of our computers that could see the private network and some of the public.

 

we have firmware ranging from 5.5.6 to 5.6.3. but currently 5.6.3 and 5.6.2 are not affected.

5.5.6, 5.5.7, 5.5.10 all affected

Member
Posts: 207
Registered: ‎07-06-2012
Kudos: 15

Re: 5.6.3 and 5.6.4 Vulnerability ?

No our private network is not accessible from our public radios.

Our password is not a simple one.

Veteran Member
Posts: 5,376
Registered: ‎08-26-2009
Kudos: 1604
Solutions: 50

Re: 5.6.3 and 5.6.4 Vulnerability ?


shock wrote:

I do not think it's a password issue, I'm not certain but it was probably a web server exploit. 


This is always a potential, and the primary reason that your admin interfaces on any network equipment should never be reachable from anything but your trusted management network.

Highlighted
Ubiquiti Employee
Posts: 9,023
Registered: ‎11-27-2012
Kudos: 2569
Solutions: 574
Contributions: 73

Re: 5.6.3 and 5.6.4 Vulnerability ?

@MLCraig  If any of these infected devices were managed by AC, we may have an option for you.

 

Anything prior to the following should be considered insecure.

 

5.5.11 XM/TI.

5.5.10u2 XW 

5.6.2 XW/XM/TI

 

There have been some additional security improvements in 5.6.3/4

UBNT_Alternate_Logo.png
Ubiquiti Networks airMAX Support Team

Check out our ever-evolving Help Center for answers to many common questions!

Emerging Member
Posts: 65
Registered: ‎09-26-2014
Kudos: 7
Solutions: 1

Re: 5.6.3 and 5.6.4 Vulnerability ?


@MLCraig  If any of these infected devices were managed by AC, we may have an option for you. 

 

 

@UBNT-James I'm waiting for that option as well Man Happy

 

We can get into our hacked radios from AC2 but no changes are possible, the radio freezes,

so waiting for a solution as to how to get the AC2 key, or run custom command, etc.

 

Member
Posts: 207
Registered: ‎07-06-2012
Kudos: 15

Re: 5.6.3 and 5.6.4 Vulnerability ?

sent you a PM James

Member
Posts: 207
Registered: ‎07-06-2012
Kudos: 15

Re: 5.6.3 and 5.6.4 Vulnerability ?


UBNT-James wrote:

@MLCraig  If any of these infected devices were managed by AC, we may have an option for you.

 

Anything prior to the following should be considered insecure.

 

5.5.11 XM/TI.

5.5.10u2 XW 

5.6.2 XW/XM/TI

 

There have been some additional security improvements in 5.6.3/4


The start of this thread says 5.6.3 and 5.6.4 are not safe either.

So what is the fix?

Member
Posts: 207
Registered: ‎07-06-2012
Kudos: 15

Re: 5.6.3 and 5.6.4 Vulnerability ?

I have a CRM but it is not installed.

 

Will using that help?

Emerging Member
Posts: 65
Registered: ‎09-26-2014
Kudos: 7
Solutions: 1

Re: 5.6.3 and 5.6.4 Vulnerability ?

We're not sure about the security of 5.6.3 and 5.6.4,

all I know is our 5.6.3 and 5.6.4 got exploited,

how it was done is not known yet.

 

Ubiquiti Employee
Posts: 9,023
Registered: ‎11-27-2012
Kudos: 2569
Solutions: 574
Contributions: 73

Re: 5.6.3 and 5.6.4 Vulnerability ?

[ Edited ]

MLCraig wrote:

UBNT-James wrote:

@MLCraig  If any of these infected devices were managed by AC, we may have an option for you.

 

Anything prior to the following should be considered insecure.

 

5.5.11 XM/TI.

5.5.10u2 XW 

5.6.2 XW/XM/TI

 

There have been some additional security improvements in 5.6.3/4


The start of this thread says 5.6.3 and 5.6.4 are not safe either.

So what is the fix?


We are actively investigating all possibilities.  One possibility is the device could have had a persistent backdoor that was installed on a previous version.

UBNT_Alternate_Logo.png
Ubiquiti Networks airMAX Support Team

Check out our ever-evolving Help Center for answers to many common questions!

New Member
Posts: 4
Registered: ‎05-13-2016

Re: 5.6.3 and 5.6.4 Vulnerability ?

I dont think so. We have about 600 exploited units and some of them was deployed with 5.6.4 software. They were unpacked from box and upgraded by technician before installation to the client site. And of course, they are exploited too.

Member
Posts: 176
Registered: ‎04-23-2014
Kudos: 61
Solutions: 19

Re: 5.6.3 and 5.6.4 Vulnerability ?

Do the devices running 5.6.4 use the same password as known vulnerable devices? Prior to 5.6.x passwords were hashed with crypt - 12 bit salt, maximum of 8 characters so not impossible to brute-force with todays computing resources.

 

Ancient Member
Posts: 28,755
Registered: ‎05-05-2012
Kudos: 9073
Solutions: 1388

Re: 5.6.3 and 5.6.4 Vulnerability ?


tomw wrote:

Do the devices running 5.6.4 use the same password as known vulnerable devices?


That was my thought as well.  Attack the vulnerable to get the password and then use the password on the rest.

New Member
Posts: 4
Registered: ‎05-13-2016

Re: 5.6.3 and 5.6.4 Vulnerability ?

[ Edited ]

We use unique password for each unit that is created by random generator. For example - password from one of exploited unit is Xjzg3Da1c ... I mean that this is relatively strong password?

SuperUser
Posts: 16,261
Registered: ‎06-23-2010
Kudos: 5132
Solutions: 76

Re: 5.6.3 and 5.6.4 Vulnerability ?

Is it possible the virus was lurking since earlier just laying in wait?
New Member
Posts: 14
Registered: ‎02-28-2013
Kudos: 8

Re: 5.6.3 and 5.6.4 Vulnerability ?

Are you using aircontrol? because one version of motherfXcker monitor (propably) aircontrol activities on exploited units....

New Member
Posts: 4
Registered: ‎05-13-2016

Re: 5.6.3 and 5.6.4 Vulnerability ?

At the present time we don't use AirControl. Maybe 2 years ago we tried it, but we had some problems with this, so we have left this way ...

 

Reply