Reply
New Member
Posts: 35
Registered: ‎10-23-2013
Kudos: 13

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

I have two interfaces that enter the network, on those two interfaces I blocked UDP/TCP port 10001 incoming. The next day we started getting phone calls for odd VPN issues. I was on the phone with one of the customers, turned off the block and their IPSEC tunnel came up. It was getting stuck on phase 2 of authentication prior to that. Tested the same thing with a customer that works at a local bank - same results. I don't know the specifics of the protocol, but I do know I could reproduce a broken VPN several times over. @mhoppes
Emerging Member
Posts: 51
Registered: ‎11-01-2017
Kudos: 7

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

We are seeing a round of distributed scans/attacks on 10001 in our logs this morning.  Someone is aware of how to exploit this and the attacks are increasing rapidly.  Here is a snip of 1 second of the log file.

DiscoveryHits.PNG
Ubiquiti Employee
Posts: 8,674
Registered: ‎04-14-2017
Kudos: 1633
Solutions: 249

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

Thanks for the additional info guys. I'd recommend configuring your firewalls accordingly and applying the usual internet connected device security measures, and we are looking at what we can do to address this for an upcoming release.
Ubiquiti Employee
Posts: 588
Registered: ‎12-21-2017
Kudos: 102
Solutions: 16

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

The port 10001 might be used for NAT traversal, please see: https://support.symantec.com/en_US/article.TECH83419.html

SuperUser
Posts: 16,669
Registered: ‎06-23-2010
Kudos: 5247
Solutions: 78

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

@aaronjclark @UBNT-SNK The question still remains: what exactly is to be gained by this exploit and what is it exploiting?

@UBNT-SNK - When will we see separated management and data interfaces on these radios? There's no reason that management should be listening on the public IP addresses.
Emerging Member
Posts: 51
Registered: ‎11-01-2017
Kudos: 7

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

@mhoppes, my best guess is that it's a UDP amplification attack used as part of a botnet for targeted DDoS attacks.  Sending a small UDP packet to the devices on 10001 will return a much larger UDP response to whatever they report as the source address. In this case the address of the DDoS victim. 

Ubiquiti Employee
Posts: 8,674
Registered: ‎04-14-2017
Kudos: 1633
Solutions: 249

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

@mhoppes that has been discussed internally, but I can't comment on a date for it to be implemented.
SuperUser
Posts: 16,669
Registered: ‎06-23-2010
Kudos: 5247
Solutions: 78

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

@UBNT-SNK This is encouraging... but really, this should be given high priority (I feel), like any other security issues found in the firmware, since really that's what it is.
New Member
Posts: 35
Registered: ‎10-23-2013
Kudos: 13

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

[ Edited ]

@aaronjclarkit's definitely what it seems like. A quick look at shodan.io shows almost 1 million ubiquiti devices online, reachable via the public IP. As far as things go though it seems like a very weak amplification attack. Previous wide scale amplification attacks averaged a 1000bytes+ per 56byte packet, spending 56bytes to get 206 'seems' inefficient to me.. Shodan seems to scrape all radio data, though. Like it's using discovery to fetch it.

Ubiquiti Employee
Posts: 8,674
Registered: ‎04-14-2017
Kudos: 1633
Solutions: 249

Re: Possible Exploit - Losing access to SSH and HTTP/HTTPS on CPEs

@mhoppes I would consider this feature different to a security vulnerability, but we are in agreement on the usefulness of it.
Reply