Reply
New Member
Posts: 39
Registered: ‎10-23-2013
Kudos: 14

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

I have two interfaces that enter the network, on those two interfaces I blocked UDP/TCP port 10001 incoming. The next day we started getting phone calls for odd VPN issues. I was on the phone with one of the customers, turned off the block and their IPSEC tunnel came up. It was getting stuck on phase 2 of authentication prior to that. Tested the same thing with a customer that works at a local bank - same results. I don't know the specifics of the protocol, but I do know I could reproduce a broken VPN several times over. @mhoppes
Emerging Member
Posts: 55
Registered: ‎11-01-2017
Kudos: 7

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

We are seeing a round of distributed scans/attacks on 10001 in our logs this morning.  Someone is aware of how to exploit this and the attacks are increasing rapidly.  Here is a snip of 1 second of the log file.

DiscoveryHits.PNG
Ubiquiti Employee
Posts: 9,522
Registered: ‎04-14-2017
Kudos: 1770
Solutions: 272

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

Thanks for the additional info guys. I'd recommend configuring your firewalls accordingly and applying the usual internet connected device security measures, and we are looking at what we can do to address this for an upcoming release.
Ubiquiti Employee
Posts: 592
Registered: ‎12-21-2017
Kudos: 103
Solutions: 16

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

The port 10001 might be used for NAT traversal, please see: https://support.symantec.com/en_US/article.TECH83419.html

SuperUser
Posts: 16,703
Registered: ‎06-23-2010
Kudos: 5273
Solutions: 78

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

@aaronjclark @UBNT-SNK The question still remains: what exactly is to be gained by this exploit and what is it exploiting?

@UBNT-SNK - When will we see separated management and data interfaces on these radios? There's no reason that management should be listening on the public IP addresses.
Emerging Member
Posts: 55
Registered: ‎11-01-2017
Kudos: 7

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

@mhoppes, my best guess is that it's a UDP amplification attack used as part of a botnet for targeted DDoS attacks.  Sending a small UDP packet to the devices on 10001 will return a much larger UDP response to whatever they report as the source address. In this case the address of the DDoS victim. 

Ubiquiti Employee
Posts: 9,522
Registered: ‎04-14-2017
Kudos: 1770
Solutions: 272

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

@mhoppes that has been discussed internally, but I can't comment on a date for it to be implemented.
SuperUser
Posts: 16,703
Registered: ‎06-23-2010
Kudos: 5273
Solutions: 78

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

@UBNT-SNK This is encouraging... but really, this should be given high priority (I feel), like any other security issues found in the firmware, since really that's what it is.
New Member
Posts: 39
Registered: ‎10-23-2013
Kudos: 14

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

[ Edited ]

@aaronjclarkit's definitely what it seems like. A quick look at shodan.io shows almost 1 million ubiquiti devices online, reachable via the public IP. As far as things go though it seems like a very weak amplification attack. Previous wide scale amplification attacks averaged a 1000bytes+ per 56byte packet, spending 56bytes to get 206 'seems' inefficient to me.. Shodan seems to scrape all radio data, though. Like it's using discovery to fetch it.

Ubiquiti Employee
Posts: 9,522
Registered: ‎04-14-2017
Kudos: 1770
Solutions: 272

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

@mhoppes I would consider this feature different to a security vulnerability, but we are in agreement on the usefulness of it.
Senior Member
Posts: 3,189
Registered: ‎07-28-2009
Kudos: 948
Solutions: 42

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

@UBNT-SNK Any true fix for this yet outside of blocking port 10001?  Also, while I have not fully confirmed it yet, I recently have had 2 CPEs exhibit the same symptoms even though I have had this port blocked for several months.  Has there been a change on the attack vector?

Ubiquiti Employee
Posts: 9,522
Registered: ‎04-14-2017
Kudos: 1770
Solutions: 272

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

That is our current workaround at this time as this is being worked on. I am not aware of any change to the attack vector.
New Member
Posts: 39
Registered: ‎10-23-2013
Kudos: 14

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

So now that this thread has sat vacant for a month, this isn't a very good work around and is rather unacceptable given that it blocks NAT Traversal. Any updates?
SuperUser
Posts: 5,892
Registered: ‎08-26-2009
Kudos: 1788
Solutions: 58

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

Blocking 10001 from the WAN won't break UPNP. Further, it shouldn't be listening on the WAN to begin with. How hard is it to bind only to the LAN interface...

SuperUser
Posts: 5,892
Registered: ‎08-26-2009
Kudos: 1788
Solutions: 58

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

Oh, breaks NAT-T.. Yeah, that's annoying

 

For sure, upnpd should not be listening on the WAN

 

This is not even config 101. This is remedial, elementary config guys Man Happy

Ubiquiti Employee
Posts: 9,522
Registered: ‎04-14-2017
Kudos: 1770
Solutions: 272

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

Let me check with the team on what the current state of a fix for this is.
Reply