Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
Regular Member
Posts: 738
Registered: ‎01-02-2009
Kudos: 168

Re: Virus attack - URGENT @UBNT

If you dont have infected devices. The best way to prevent for everything is to drop all input on your devices. Just allow http on nonstandard port and access to this just from your chosen ip range.

This is way ubnt should solve this problem - make the easy function like this in network menu of devices. Another thing is to make virus/malware scanner for aircontrol2.

 

https://community.ubnt.com/t5/airControl-2-Beta/Virus-malware-scanner-in-Aircontrol/m-p/1566912#M114...

https://community.ubnt.com/t5/airControl-2-Beta/Virus-malware-scanner-in-Aircontrol/m-p/1566912#M114...

Member
Posts: 126
Registered: ‎11-21-2013
Kudos: 27
Solutions: 1

Re: Virus attack - URGENT @UBNT

UBNT doesn't offer a menu option to disable HTTP access to any of its devices. And it's unclear whether this can be done via the internal firewall if the device is acting as a bridge rather than a router! An option to turn off HTTP (perhaps by setting the port to 0 or 65535 if not via a new checkbox) is one of the necessary security features that should be added to all firmware right away.

Member
Posts: 165
Registered: ‎10-23-2013
Kudos: 48
Solutions: 2

Re: Virus attack - URGENT @UBNT


BrettGlass wrote:

UBNT doesn't offer a menu option to disable HTTP access to any of its devices. And it's unclear whether this can be done via the internal firewall if the device is acting as a bridge rather than a router! An option to turn off HTTP (perhaps by setting the port to 0 or 65535 if not via a new checkbox) is one of the necessary security features that should be added to all firmware right away.


If you turn this off on the Services Tab:

 

http-off.png

does that not do what you're asking?

 

Sam

Ubiquiti Employee
Posts: 7,826
Registered: ‎11-27-2012
Kudos: 2133
Solutions: 495
Contributions: 73

Re: Virus attack - URGENT @UBNT

I should also add that this exploit is coming across HTTPS.

 

As for firewall in bridge mode, yes, you can restrict/whitelist IPs to allow access to management interfaces.

 

Similar to the example HERE, but use bridge0 (assuming that is the interface management is set to).

 

 

 

 

New Member
Posts: 3
Registered: ‎01-14-2011
Kudos: 3

Re: Virus attack - URGENT @UBNT

[ Edited ]

sonny wrote:

Hi,

 

we have several units upgraded and cannot access via ssh.

Anybody knows how to solve it?

 

DH_compute_key failed err: 84303974



Just update you´re SSH-Client. Had this also with Mtik-Routers (lower 6.25) connecting to ubnt.

Member
Posts: 126
Registered: ‎11-21-2013
Kudos: 27
Solutions: 1

Re: Virus attack - URGENT @UBNT

No, that does not do what I am asking, because I still need HTTPS to check status and throughput.

Regular Member
Posts: 738
Registered: ‎01-02-2009
Kudos: 168

Re: Virus attack - URGENT @UBNT

[ Edited ]

@UBNT-James

 

I should also add that this exploit is coming across HTTPS.
As for firewall in bridge mode, yes, you can restrict/whitelist IPs to allow access to management interfaces.


Similar to the example HERE, but use bridge0 (assuming that is the interface management is set to).

 

this is not for INPUT but for forward...WE NEED OPTION IN GRAPHIC MENU FOR INPUT

Ubiquiti Employee
Posts: 7,826
Registered: ‎11-27-2012
Kudos: 2133
Solutions: 495
Contributions: 73

Re: Virus attack - URGENT @UBNT


rado3105 wrote:

@UBNT-James

 

I should also add that this exploit is coming across HTTPS.
As for firewall in bridge mode, yes, you can restrict/whitelist IPs to allow access to management interfaces.


Similar to the example HERE, but use bridge0 (assuming that is the interface management is set to).

 

this is not for INPUT but for forward...WE NEED OPTION IN GRAPHIC MENU FOR INPUT


It is working for me.  If you are having trouble, please create a new thread showing the rules.

 

I have already requested a GUI option to restrict this more easily.  Don't have an ETA, but a dev ticket has been created.

 

If you have any more suggestions / requests, please either create a new thread or Feature Request.

 

 

 

 

Ubiquiti Employee
Posts: 7,826
Registered: ‎11-27-2012
Kudos: 2133
Solutions: 495
Contributions: 73

Re: Virus attack - URGENT @UBNT

[ Edited ]

Locking this topic.  If anyone is still having trouble, please either create a new thread of contact support.  (help.ubnt.com)

 

Recap from Blog Post HERE.

 

HI Everyone,

 

There have been several reports of infected airOS M devices over the last week.  From the samples we have seen, there are 2 different payloads that uses the same exploit.  We have confirmed these variations are using a known exploit that was reported and fixed last year.

 

This is an HTTP/HTTPS exploit that doesn't require authentication.  Simply having a radio on outdated firmware and having it's http/https interface exposed to the Internet is enough to get infected.  We are also recommending restricting all access to management interfaces via firewall filtering.

 

Devices running the following firmware are OK, but we recommend updating to 5.6.5 unless using legitimate rc. scripts.  Users using legitimate rc.scripts should run 5.6.4 for the time being.  

 

airMAX M (Including airRouter)

  • 5.5.11 XM/TI
  • 5.5.10u2 XM
  • 5.6.2+ XM/XW/TI

 AirMAX AC

  • 7.1.3+

airOS 802.11G

  • 4.0.4

 ToughSwitch

  • 1.3.2

 airGateway

  • 1.1.5+

 airFiber 

  • AF24/AF24HD 2.2.1+ 
  • AF5x 3.0.2.1+
  • AF5 2.2.1+

 

 

Removal tool.

 

CureMalware-0.8.jar  (Please download via browser.)

 

Updated CureMalware to v0.8.

 

0.7 -> 0.8

 

Update:
* force device reboot after cure action
* check and remove the same set of files if infected
* extend files to be checked for infection
* use the same user and password as current connection to be stored to config
* remove unused content before upgrade to have enough space for upgrade

 

This tool requires Java and will run on OSX/Linux and Windows.  It will search for and remove both variants we have seen, and their baggage.  It has the option to upgrade firmware to 5.6.5.  Beware that 5.6.5 removes _all_ rc.scripts and the ability to use them.  Please use check and cure only if you are using legitimate rc.scripts.

 

NOTE: This tool will only automatically updated airOS M devices.

 

Usage:

 

java -jar CureMalware-0.8.jar

 

Example:

C:\Users\ubnt\Downloads>java -jar CureMalware-0.7.jar
Skynet/PimPamPum/ExploitIM malware removal tool v0.7 for Ubiquiti devices

Copyright 2006-2016, Ubiquiti Networks, Inc. <support@ubnt.com>

This program is proprietary software; you can not redistribute it and/or modify
it without signed agreement with Ubiquiti Networks, Inc.


Possible formats for IP(s):
IP <192.168.1.1>
IP list <192.168.1.1, 192.168.1.2>
IP range <192.168.1.1-192.168.1.254>
Enter IP(s): 192.168.1.31
Possible actions:
Check [1]
Check and Cure [2]
Check, Cure and Update [3]
Enter action <1|2|3>: 3
Enter ssh port [22]:
Enter user name [ubnt]: ubnt
Reuse password <y|n>[y]: y
Processing ubnt@192.168.1.31:22 ...
Password for ubnt@192.168.1.31:
Checking...
CRITICAL: Infected by exploitim
WARNING: User Script(s) is(are) installed:
/etc/persistent/rc.poststart
Review/remove manually!
Done.
Cleaning...
Done.
IT IS STRONGLY RECOMMENDED TO CHANGE PASSWORD ON CURED DEVICE!
IT IS STRONGLY RECOMMENDED TO RUN CURED+UPDATE PROCEDURE!
Preparing Upgrade...
Done.
Uploading firmware: /firmwares/XM.bin ...
Sending... [%100]
Done.
Upgrading...
Current ver: 329220
New version: 329221
No need to fix.
Writing 'u-boot         ' to /dev/mtd0(u-boot         ) ...  [%100]
Writing 'kernel         ' to /dev/mtd2(kernel         ) ...  [%100]
Writing 'rootfs         ' to /dev/mtd3(rootfs         ) ...  [%100]
Done.

 

Manual Removal:

 

 

Make sure there is no unknown users and ssh keys in system.cfg:

grep -E "users|sshd.auth.key" /tmp/system.cfg
 
We recommend removing all custom scripts is you are not using them:
rm -fr /etc/persistent/rc.* /etc/persistent/profile
 
Then 
cfgmtd -w -p /etc/; reboot -f
 
If you also are not using ssh key authentication then it is recommended to clean persistent:
cfgmtd -w; reboot -f

 

 

Firmware:


We are releasing 5.6.5 with the following changes.

 

  •  New: Disable custom scripts usage
  •  New: Enable syslog by default
  •  Fix: Security updates (malware scripts check and removal)

 

http://www.ubnt.com/downloads/XN-fw-internal/v5.6.5/XW.v5.6.5.29033.160515.2108.bin
http://www.ubnt.com/downloads/XN-fw-internal/v5.6.5/XM.v5.6.5.29033.160515.2119.bin
http://www.ubnt.com/downloads/XN-fw-internal/v5.6.5/TI.v5.6.5.29033.160515.2058.bin

 

For users running Verizon fix firmware on XM based devices.

http://www.ubnt.com/downloads/XN-fw-internal/v5.6.5/XM.v5.6.5-cpu400.29033.160515.2119.bin

 

For suggested best security practices, please see Securing airOS.

Reply