Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×

Important Security Notice and airOS 5.6.5 Release

by Ubiquiti Employee ‎05-16-2016 11:43 AM - edited ‎07-21-2016 12:06 PM

 HI Everyone,

 

There have been several reports of infected airOS M devices over the last week.  From the samples we have seen, there are 2 different payloads that uses the same exploit.  We have confirmed these variations are using a known exploit that was reported and fixed last year.

 

This is an HTTP/HTTPS exploit that doesn't require authentication.  Simply having a radio on outdated firmware and having it's http/https interface exposed to the Internet is enough to get infected.  We are also recommending restricting all access to management interfaces via firewall filtering.

 

Devices running the following firmware are OK, but we recommend updating to 5.6.5 unless using legitimate rc. scripts.  Users using legitimate rc.scripts should run 5.6.4 for the time being.  

 

airMAX M (Including airRouter)

  • 5.5.11 XM/TI
  • 5.5.10u2 XM
  • 5.6.2+ XM/XW/TI

 AirMAX AC

  • 7.1.3+

airOS 802.11G

  • 4.0.4

 ToughSwitch

  • 1.3.2

 airGateway

  • 1.1.5+

 airFiber 

  • AF24/AF24HD 2.2.1+ 
  • AF5x 3.0.2.1+
  • AF5 2.2.1+

 

 

Removal tool.

 

NOTE: If you cannot access the devices, please try the username: moth3r and password: fuck.3r or moth3r/fucker with CureMalware.

 

ubnt-Cure-Malware.zip (Please download via browser.)

 

md5sum  782789ab878882de4d65d6967b055633  ubnt-CureMalware.zip

 

Updated CureMalware to v1.2


Requirements:
 - JAVA(TM) runtime environment

How-To:
- unzip ubnt-CureMalware.zip
- run one of run scripts depending on OS:
      unix-CureMalware.sh for Linux
      windows-CureMalware.bat for Windows
- follow printed instructions by tool

 

1.1 -> 1.2

Version: 1.2 (07/10/2016)

Features:
- Bugfix for user name issue introduced in v1.1
- Stop watchdog to prevent from device reboot in case of out of memory


1.0 ->1.1

Version: 1.1 (06/21/2016)
Features:
- Command line argument support added:
    java -jar CureMalware-1.1.jar -a <1|2|3> -u <user name> -s <user password> -i <ip address>|<ip1,ip2, ...>|<ip1-ipN> -p <port no>

 

 

0.8 -> 1.0

 Version: 1.0 (06/09/2016)

Built-in Firmwares with Custom Scripts DISABLED:
 - XM.v5.6.6.29183.160526.1225
 - XW.v5.6.6.29183.160526.1205
 - TI.v5.6.6.29183.160526.1144

Features:
-Checks, cures, and upgrades Ubiquiti M-series devices infected by ExploitIM malware. Does not upgrade AC-  series devices.
-Supports parallel execution to multiple devices.
-Removes old Access Controller authentication keys from infected devices. Requires re-adoption.

 

0.7 -> 0.8

 

Update:
- force device reboot after cure action
- check and remove the same set of files if infected
- extend files to be checked for infection
- use the same user and password as current connection to be stored to config
- remove unused content before upgrade to have enough space for upgrade

 

This tool requires Java and will run on OSX/Linux and Windows.  It will search for and remove both variants we have seen, and their baggage.  It has the option to upgrade firmware to 5.6.5.  Beware that 5.6.5 removes _all_ rc.scripts and the ability to use them.  Please use check and cure only if you are using legitimate rc.scripts.

 

NOTE: This tool will only automatically updated airOS M devices.

 

Usage:

 

windows-CureMalware.bat

 

Example:

C:\Users\ubnt\Downloads>windows-CureMalware.bat
Skynet/PimPamPum/ExploitIM malware removal tool v1.0 for Ubiquiti devices

Copyright 2006-2016, Ubiquiti Networks, Inc. <support@ubnt.com>

This program is proprietary software; you can not redistribute it and/or modify
it without signed agreement with Ubiquiti Networks, Inc.


Possible formats for IP(s):
IP <192.168.1.1>
IP list <192.168.1.1, 192.168.1.2>
IP range <192.168.1.1-192.168.1.254>
Enter IP(s): 192.168.1.31
Possible actions:
Check [1]
Check and Cure [2]
Check, Cure and Update [3]
Enter action <1|2|3>: 3
Enter ssh port [22]:
Enter user name [ubnt]: ubnt
Reuse password <y|n>[y]: y
Processing ubnt@192.168.1.31:22 ...
Password for ubnt@192.168.1.31:
Checking...
CRITICAL: Infected by exploitim
WARNING: User Script(s) is(are) installed:
/etc/persistent/rc.poststart
Review/remove manually!
Done.
Cleaning...
Done.
IT IS STRONGLY RECOMMENDED TO CHANGE PASSWORD ON CURED DEVICE!
IT IS STRONGLY RECOMMENDED TO RUN CURED+UPDATE PROCEDURE!
Preparing Upgrade...
Done.
Uploading firmware: /firmwares/XM.bin ...
Sending... [%100]
Done.
Upgrading...
Current ver: 329220
New version: 329221
No need to fix.
Writing 'u-boot         ' to /dev/mtd0(u-boot         ) ...  [%100]
Writing 'kernel         ' to /dev/mtd2(kernel         ) ...  [%100]
Writing 'rootfs         ' to /dev/mtd3(rootfs         ) ...  [%100]
Done.

 

Manual Removal:

 

 

Make sure there is no unknown users and ssh keys in system.cfg:

grep -E "users|sshd.auth.key" /tmp/system.cfg
 
We recommend removing all custom scripts is you are not using them:
rm -fr /etc/persistent/rc.* /etc/persistent/profile
 
Then 
cfgmtd -w -p /etc/; reboot -f
 
If you also are not using ssh key authentication then it is recommended to clean persistent:
cfgmtd -w; reboot -f

 

 

Firmware:


We are releasing 5.6.5 with the following changes.

 

  •  New: Disable custom scripts usage
  •  New: Enable syslog by default
  •  Fix: Security updates (malware scripts check and removal)

 

http://www.ubnt.com/downloads/XN-fw-internal/v5.6.5/XW.v5.6.5.29033.160515.2108.bin
http://www.ubnt.com/downloads/XN-fw-internal/v5.6.5/XM.v5.6.5.29033.160515.2119.bin
http://www.ubnt.com/downloads/XN-fw-internal/v5.6.5/TI.v5.6.5.29033.160515.2058.bin

 

 

 

For suggested best security practices, please see Securing airOS.