Reply
New Member
Posts: 35
Registered: ‎10-23-2013
Kudos: 14

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

Management needs a easier way to be separated from the WAN interface, preferrably as easy as EPMP. 

 

Check a box.

 

Put in the Management IP address, Gateway, Subnet, optional VLAN - magic. No management features can be accessed via WAN, only via the management subnet.

 

If this existed I really doubt we would see the extent of problems due to client radios being exposed to the internet.

Veteran Member
Posts: 5,648
Registered: ‎07-03-2008
Kudos: 1766
Solutions: 137

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs


@UBNT-Mindas wrote:

@MimCom- I meant the "Multiple FIB tables and FIB rules" approach mentioned in the linked article.


Ya, that should be manageable as long as there is no dynamic routing involved.

 

I'm really looking forward to VRF support in EdgeOS (with OSPF and MPLS/VPLS), which forms the 'other half' of management plane separation.

Senior Member
Posts: 3,137
Registered: ‎07-17-2010
Kudos: 706
Solutions: 179

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs


@jnovak wrote:

Management needs a easier way to be separated from the WAN interface, preferrably as easy as EPMP. 

 

Check a box.

 

Put in the Management IP address, Gateway, Subnet, optional VLAN - magic. No management features can be accessed via WAN, only via the management subnet.

 

If this existed I really doubt we would see the extent of problems due to client radios being exposed to the internet.


@UBNT-SNK @UBNT-James @UBNT-Mindas

Ubiquiti Employee
Posts: 9,413
Registered: ‎04-14-2017
Kudos: 1763
Solutions: 271

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

Thanks for the suggestion.
SuperUser
Posts: 16,703
Registered: ‎06-23-2010
Kudos: 5273
Solutions: 78

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

I believe we are now seeing this.  CPEs with public IP addresses.   I was wondering why telemetry data was missing from the CPE connect lines on the AP. (no name, firmware version, signal, etc).. just blank lines.

 

I blocked 10001 at the core routers and I'm seeing about 20 attempts per second.

WHAT is port 10001
WHEN did port 10001 appear on these radios listening on the WAN interface
WHY is port 10001 answering to public IPs

and

WHY is connecting to 10001 with improper / unclosed disconnect causing memory issues on the devices?
HOW can this be fixed other than fire walling
WHAT is being done to avoid releasing new ports out into the wild
WHY is there no easy way to seperate management/customer traffic?

Ubiquiti Employee
Posts: 9,413
Registered: ‎04-14-2017
Kudos: 1763
Solutions: 271

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

@UBNT-Mindas @UBNT-Zy please post your latest updates on this one in this thread.
Veteran Member
Posts: 7,881
Registered: ‎04-21-2011
Kudos: 2742
Solutions: 172

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

Is "Discovery" enabled on those devices ?    We make sure Discovery is off on all devices. If something gets a worm, it trys to use discovery on the network to look for other devices to infect.  This may not even have started with a UBNT device, but with discovery turned on, whatever it is can look for other devices to infect !

Ubiquiti Employee
Posts: 592
Registered: ‎12-21-2017
Kudos: 102
Solutions: 16

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

[ Edited ]

@mhoppes - thanks a lot for the report. Port 10001 is what is used for the discovery service.

 

Could you perhaps grap a pcap for those attemps to that port? Any information would help  a lot.

 

Thank you.

SuperUser
Posts: 16,703
Registered: ‎06-23-2010
Kudos: 5273
Solutions: 78

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

I'll try -- but currently services are blocked at the core firewall.
SuperUser
Posts: 16,703
Registered: ‎06-23-2010
Kudos: 5273
Solutions: 78

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

@UBNT-Mindas - I may be able to setup a honey pot device tomorrow if I have some time.
Ubiquiti Employee
Posts: 592
Registered: ‎12-21-2017
Kudos: 102
Solutions: 16

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

@mhoppes - a honey pot would be very beneficial. Thank you and lest us know if anything.

New Member
Posts: 35
Registered: ‎10-23-2013
Kudos: 14

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

[ Edited ]

@UBNT-SNK @UBNT-James @UBNT-Mindas

 

who wants packet captures? did anyone get them to you guys?

 

 

In my opinion, the traffic pattern appears to be more like a attempt at DDOS amplification type attack. For every source packet of 56 bytes there is a 206byte response, which I think is a fairly weak amplification, but, the traffic for me comes in very large waves of 150k - 250k packets and then it stops for sometimes several hours.

 

 

Joe 

Ubiquiti Employee
Posts: 592
Registered: ‎12-21-2017
Kudos: 102
Solutions: 16

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

@jnovak - please sent packet captures to: mindaugas.bernatavicius@ubnt.com if you have them. Also, I believe they could be publicly shared.

New Member
Posts: 35
Registered: ‎10-23-2013
Kudos: 14

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

I sent them your way!

 

 

Joe

Ubiquiti Employee
Posts: 592
Registered: ‎12-21-2017
Kudos: 102
Solutions: 16

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

@jnovak - thank you.

New Member
Posts: 35
Registered: ‎10-23-2013
Kudos: 14

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

[ Edited ]

 



@jnovak wrote:

Management needs a easier way to be separated from the WAN interface, preferrably as easy as EPMP. 

 

Check a box.

 

Put in the Management IP address, Gateway, Subnet, optional VLAN - magic. No management features can be accessed via WAN, only via the management subnet.

 

If this existed I really doubt we would see the extent of problems due to client radios being exposed to the internet.



 

 

Blocking port 10001 is a bad idea if you have clients using IPSEC VPNs. Ask me how I know.... 

 

 

I further echo my cries for a better method to madness from UBNT.

 

 @UBNT-SNK @UBNT-James @UBNT-Mindas

Ubiquiti Employee
Posts: 9,413
Registered: ‎04-14-2017
Kudos: 1763
Solutions: 271

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

We will discuss this one internally and see what we can do.
SuperUser
Posts: 16,703
Registered: ‎06-23-2010
Kudos: 5273
Solutions: 78

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

@jnovak How do you know? 10001 is not a standard IPSEC VPN port.

But yeah -- these types of issues need to be better protected.... trying to move towards IPV6.... it's things like this that keep me up at night!
New Member
Posts: 35
Registered: ‎10-23-2013
Kudos: 14

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

@mhoppes - https://support.symantec.com/en_US/article.TECH83419.html

when business customers are freaking out one at a time, you figure out pretty quickly. No idea why many of them by default are utilizing a configuration like this, most of them have public IPs right on their VPN devices. However, I can see why home workers are utilizing it this way.
SuperUser
Posts: 16,703
Registered: ‎06-23-2010
Kudos: 5273
Solutions: 78

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

@jnovak - wouldn't we be having issues then either way? Blocked the traffic doesn't arrive. not blocked, it goes to the radio instead of the end-user device.
Reply