Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
SuperUser
Posts: 16,022
Registered: ‎06-23-2010
Kudos: 4980
Solutions: 76

Re: Virus attack - URGENT @UBNT

So then how do you run those commands???
Established Member
Posts: 986
Registered: ‎10-24-2009
Kudos: 81
Solutions: 1

Re: Virus attack - URGENT @UBNT

We got hit with this today also.

I was using the .skynet variable to clear it out although that apparently isn't the issue LOL.

Once I ran that command it "seems" to have  allowed me to gain access and update to 5.6.4 though.

 

Pain in the fricking ass.

Yep, that can happen
www.wirelessdatanet.net
New Member
Posts: 11
Registered: ‎03-10-2009

Re: Virus attack - URGENT @UBNT

James.
Removing mass with AirControl 2 or any other suggestions?
we have 3000 CPE to check, remove and update.

New Member
Posts: 23
Registered: ‎08-13-2008
Kudos: 1

Re: Virus attack - URGENT @UBNT

It seems that blocking all inbound ssh into the cpe prevents this from infecting the radio.   Do you guys see it spreading any other way?

Established Member
Posts: 2,399
Registered: ‎06-04-2008
Kudos: 523
Solutions: 6

Re: Virus attack - URGENT @UBNT


amx wrote:

Hi James.

 

Thanks for the information.

 

Ahm...just for my info: we're one of the largest WISPs in Spain and we didn't receive any Vulnerability Warning?

Neither on direct way nor via our Wholesale Partner Landatel!?

 

You will pay the costs for cleaning up all customers' CPEs affected of this and other issues provoced by UBNT-Software failure?

 

Thanks in advance for your feedback!



amx wrote:

Hi James.

 

Thanks for the information.

 

Ahm...just for my info: we're one of the largest WISPs in Spain and we didn't receive any Vulnerability Warning?

Neither on direct way nor via our Wholesale Partner Landatel!?

 

You will pay the costs for cleaning up all customers' CPEs affected of this and other issues provoced by UBNT-Software failure?

 

Thanks in advance for your feedback!


LOOOOOOOOOOOOOOOOOOOOOOOOOOOOOLLLLLLLLLLLLLLLLLLLLll

Established Member
Posts: 986
Registered: ‎10-24-2009
Kudos: 81
Solutions: 1

Re: Virus attack - URGENT @UBNT

This is getting our internal private IP space from inside. I believe it is after our public IP'ed radios got infected. 

Yep, that can happen
www.wirelessdatanet.net
SuperUser
Posts: 16,022
Registered: ‎06-23-2010
Kudos: 4980
Solutions: 76

Re: Virus attack - URGENT @UBNT

Amx. Sounds like this was caused by you not having your equipment on secure versions of software so unfortunately you will pay the cost.
SuperUser
Posts: 16,022
Registered: ‎06-23-2010
Kudos: 4980
Solutions: 76

Re: Virus attack - URGENT @UBNT

@icequake why do you think it's coming in over ssh?
SuperUser
Posts: 21,550
Registered: ‎11-20-2011
Kudos: 7571
Solutions: 229

Re: Virus attack - URGENT @UBNT


amx wrote:

thanks, but there are no vulnerabilities notifications on this updates' blog


The blog discusses firmware and provides links and release notes. Inside the release notes are notices of security issues.

 

INCLUDING THIS ONE:

http://community.ubnt.com/t5/airMAX-Updates-Blog/Security-Release-for-airMAX-TOUGHSwitch-and-airGate...

 

Which contains the following:

-----

Hi all,

We've just released a very important security release of the following products: 

 

  • airMAX v5.6.2
  • airMAX AC v7.1.3
  • TOUGHSwitch v1.3.2
  • airGateway v1.1.5

The primary change in these versions is a fix for a vulnerability that allows unauthenticated users to gain access to the device via HTTP(s). 

 

All previous versions are affected. 

 

It's highly recommended to upgrade to the latest versions as soon as possible. If you have any questions, feel free to open a new thread or send me an email (matt@ubnt.com).

 

For downloads and full release notes on these versions, please see:

https://downloads.ubnt.com

 

EDIT: We have released updated versions of 5.5.x with this security update. You can find these under "Past Firmware" section.

 

XM.v5.5.11.28002.150723.1344.bin

TI.v5.5.11.28002.150723.1518.bin

XW.v5.5.10-u2.28005.150723.1358.bin (XW units shipping with 5.5.11 will need to use 5.6.2+.  5.5.11 for XW isnot patched)

 

For legacy airOS 4 devices. DOWNLOAD

XS5.ar2313.v4.0.4.5074.150724.1344.bin

XS2.ar2316.v4.0.4.5074.150724.1340.bin

 

 

 

NOTE: This vulnerability was reported via our Hacker Bug Bounty program under private disclosure. At this time we have no reason to believe there are any leaks of this information or known exploits. 

 

Thanks,
Matt

-----

@amx



isp builder | linux sorcerer | datacenter automation conjurer | paid consultation available
New Member
Posts: 25
Registered: ‎01-21-2010
Kudos: 3

Re: Virus attack - URGENT @UBNT

I Have ports 22, 23, 80 and 443 blocked,  is that good enough?

Thanks 

Established Member
Posts: 986
Registered: ‎10-24-2009
Kudos: 81
Solutions: 1

Re: Virus attack - URGENT @UBNT

Not everyone wants to update their customers radios at every time UBNT comes out with a "fix" for something a company doesn't even use Matt. Matter of fact, if they would just get things to work right in the first place we wouldn't have 100+ versions of software..

 

I'm too busy trying to fix this "F" up to worry about any thing else really. But it sure is a good damned way to get you to update to their latest and greatest whatever it is. This is going to cost a lot of money in truck rolls I'm quite sure of that either way.

Yep, that can happen
www.wirelessdatanet.net
SuperUser
Posts: 21,550
Registered: ‎11-20-2011
Kudos: 7571
Solutions: 229

Re: Virus attack - URGENT @UBNT


gunther_01 wrote:

This is getting our internal private IP space from inside. I believe it is after our public IP'ed radios got infected. 


If that was able to get into your radio, then either something on your network was compromised, or you didn't have proper firewall ACLs on your management network to prevent access to the device's management interface.

 

Otherwise, there would be no way for the device to contact your other devices.



isp builder | linux sorcerer | datacenter automation conjurer | paid consultation available
SuperUser
Posts: 12,656
Registered: ‎02-03-2013
Kudos: 6522
Solutions: 535
Contributions: 2

Re: Virus attack - URGENT @UBNT


gunther_01 wrote:

Not everyone wants to update their customers radios at every time UBNT comes out with a "fix" for something a company doesn't even use Matt. Matter of fact, if they would just get things to work right in the first place we wouldn't have 100+ versions of software..

 

I'm too busy trying to fix this "F" up to worry about any thing else really. But it sure is a good damned way to get you to update to their latest and greatest whatever it is. This is going to cost a lot of money in truck rolls I'm quite sure of that either way.


These days, every piece of software and firmware needs security updates.  

 

Anyone who doesn't keep their firmware up to date, and then exposes devices on the outside is leading a very dangerous life.

ubiquiti certified trainer :: ubwa | uewa
Established Member
Posts: 986
Registered: ‎10-24-2009
Kudos: 81
Solutions: 1

Re: Virus attack - URGENT @UBNT

You would be correct. But, everytime UBNT releases something it breaks what I have worked hard to make...

 

So any word on a way to "fix" hundreds of radios yet???

 

 

Yep, that can happen
www.wirelessdatanet.net
Ubiquiti Employee
Posts: 7,512
Registered: ‎11-27-2012
Kudos: 1973
Solutions: 478
Contributions: 73

Re: Virus attack - URGENT @UBNT


gunther_01 wrote:

You would be correct. But, everytime UBNT releases something it breaks what I have worked hard to make...

 

So any word on a way to "fix" hundreds of radios yet???

 

 


We have a few solutions in the works, but we don't want to telegraph our plans until everything is in place.

Established Member
Posts: 986
Registered: ‎10-24-2009
Kudos: 81
Solutions: 1

Re: Virus attack - URGENT @UBNT

It may not be available.

But a way to intigrate it in to AC would be great. That way I already have all of our subnets and such in there for whatever possible script or program to be able to sort through our network. We are routed, and the bridged network fixes don't work real well.

 

Wishfull thinking probably. But the data base is already there for most of us to build off of..

Yep, that can happen
www.wirelessdatanet.net
SuperUser
Posts: 21,550
Registered: ‎11-20-2011
Kudos: 7571
Solutions: 229

Re: Virus attack - URGENT @UBNT


gunther_01 wrote:

Not everyone wants to update their customers radios at every time UBNT comes out with a "fix" for something a company doesn't even use Matt. Matter of fact, if they would just get things to work right in the first place we wouldn't have 100+ versions of software..

 

I'm too busy trying to fix this "F" up to worry about any thing else really. But it sure is a good damned way to get you to update to their latest and greatest whatever it is. This is going to cost a lot of money in truck rolls I'm quite sure of that either way.


If you are not properly segmenting and securing your network from the inside out and decide to ignore firmware releases, security notifications, and changelogs, then expect late nights.

 

This could have been avoided simply by proper security practices and awareness of notes that are a year old.

 

 

I'm sure this is hard to hear given your current situation, but it's the truth.



isp builder | linux sorcerer | datacenter automation conjurer | paid consultation available
Established Member
Posts: 1,207
Registered: ‎10-18-2014
Kudos: 333
Solutions: 33

Re: Virus attack - URGENT @UBNT


gunther_01 wrote:

You would be correct. But, everytime UBNT releases something it breaks what I have worked hard to make...

 

 

 


Then your doing something wrong, 5.6.2 is rock solid. I'll admit there are issues with 6.6.3/4 under specific circumstances though. No reason to be further back then this, 

New Member
Posts: 20
Registered: ‎04-17-2012
Kudos: 6

Re: Virus attack - URGENT @UBNT

enable firewall rules and give access list to only your network management IPs and problem solved. Your clients and outside world blocked. I wouldn't depend on firmware to block this crap. 

Established Member
Posts: 986
Registered: ‎10-24-2009
Kudos: 81
Solutions: 1

Re: Virus attack - URGENT @UBNT

And this is why I don't ever come to this forum anymore. It's full of fanboys, and how "I" have to do what you want me to do in your way.

 

Yes, a lot of things would have prevented this. I didn't get the memo about the security breaches because I don't frequent here any more. My network works as advertised, and it took a lot of work to make it that way. From early BETA testing failures with UBNT, to many other issues that I worked out using UBNT.

 

Thanks for the information. I don't really need to be told how to implement much of anything. I, nor many others don't care to hear it at this point. Like you have never done any thing wrong in networking. Bull $h!t. Get off your high horse.

 

Moving on to usefull solutions and comments at this point, please.

Yep, that can happen
www.wirelessdatanet.net
Reply