Menu
Worm infects unpatched Ubiquiti wireless devices

Worm infects unpatched Ubiquiti wireless devices

The vulnerability has been known for almost a year, but many users haven't applied the patches

Routers and other wireless devices made by Ubiquiti Networks have recently been infected by a worm that exploits a year-old remote unauthorized access vulnerability.

The attack highlights one of the major issues with router security: the fact that the vast majority of them do not have an auto update mechanism and that their owners hardly ever update them manually.

The worm creates a backdoor administrator account on vulnerable devices and then uses them to scan for and infect other devices on the same and other networks.

"This is an HTTP/HTTPS exploit that doesn't require authentication," Ubiquiti said in an advisory. "Simply having a radio on outdated firmware and having its http/https interface exposed to the Internet is enough to get infected."

The company has observed attacks against airMAX M Series devices, but AirMAX AC, airOS 802.11G, ToughSwitch, airGateway and airFiber devices running outdated firmware are also affected.

The vulnerability was reported privately to Ubiquiti last year through a bug bounty program and was patched in airMAX v5.6.2, airMAX AC v7.1.3, airOS 802.11G v4.0.4, TOUGHSwitch v1.3.2, airGateway v1.1.5, airFiber AF24/AF24HD 2.2.1, AF5x 3.0.2.1 and AF5 2.2.1. Devices running firmware newer than those versions should be protected.

For airMAX M devices, the company recommends upgrading to the latest 5.6.5 version. However, this version removes support for rc.scripts, so users relying on that functionality should stick with 5.6.4 for the time being.

Using firewall filtering to restrict remote access to the management interface is also highly recommended.

According to researchers from Symantec, after the worm exploits the flaw to create a backdoor account, it adds a firewall rule in order to block legitimate administrators from accessing the Web-based management interface. It also copies itself to the rc.poststart script in order to ensure that it persists across device reboots.

"So far this malware doesn’t seem to perform any other activities beyond creating a back door account, blocking access to the device, and spreading to other routers," the Symantec researchers said in a blog post Thursday. "It’s likely that the attackers behind this campaign may be spreading the worm for the sheer challenge of it. It could also be evidence of an early, exploratory phase of a larger operation."

Ubiquiti Networks has also created a Java-based application that can automatically remove the infection from affected devices. It can be used on Windows, Linux and OS X.

Router security is particularly bad in the consumer market, where large numbers of routers can remain vulnerable to known vulnerabilities for years and can be compromised en masse to create distributed denial-of-service (DDoS) botnets or to launch man-in-the-middle attacks against their users.

In the past, attackers have managed to hijack hundreds of thousands of home routers by simply trying out default or common usernames and passwords. Users should always change the default administrator password when installing their router and should disable remote access to its management interface unless this functionality is needed.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

Meet the leading female front runners of the Kiwi channel

Meet the leading female front runners of the Kiwi channel

Reseller News honoured the leading female front runners of the New Zealand channel at the 2018 Women in ICT Awards (WIICTA) in Auckland. The awards honoured standout individuals across seven categories, spanning Entrepreneur; Innovation; Rising Star; Shining Star; Community; Technical and Achievement.

Meet the leading female front runners of the Kiwi channel
Meet the top performing customer-centric Microsoft channel partners

Meet the top performing customer-centric Microsoft channel partners

Microsoft honoured leading partners across the channel following a year of customer innovation and market growth in New Zealand. The 2018 Microsoft Partner Awards recognised excellence within the context of the end-user, spanning a host of emerging and established providers.

Meet the top performing customer-centric Microsoft channel partners
Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Show Comments