Menu
Worm infects unpatched Ubiquiti wireless devices

Worm infects unpatched Ubiquiti wireless devices

The vulnerability has been known for almost a year, but many users haven't applied the patches

Routers and other wireless devices made by Ubiquiti Networks have recently been infected by a worm that exploits a year-old remote unauthorized access vulnerability.

The attack highlights one of the major issues with router security: the fact that the vast majority of them do not have an auto update mechanism and that their owners hardly ever update them manually.

The worm creates a backdoor administrator account on vulnerable devices and then uses them to scan for and infect other devices on the same and other networks.

"This is an HTTP/HTTPS exploit that doesn't require authentication," Ubiquiti said in an advisory. "Simply having a radio on outdated firmware and having its http/https interface exposed to the Internet is enough to get infected."

The company has observed attacks against airMAX M Series devices, but AirMAX AC, airOS 802.11G, ToughSwitch, airGateway and airFiber devices running outdated firmware are also affected.

The vulnerability was reported privately to Ubiquiti last year through a bug bounty program and was patched in airMAX v5.6.2, airMAX AC v7.1.3, airOS 802.11G v4.0.4, TOUGHSwitch v1.3.2, airGateway v1.1.5, airFiber AF24/AF24HD 2.2.1, AF5x 3.0.2.1 and AF5 2.2.1. Devices running firmware newer than those versions should be protected.

For airMAX M devices, the company recommends upgrading to the latest 5.6.5 version. However, this version removes support for rc.scripts, so users relying on that functionality should stick with 5.6.4 for the time being.

Using firewall filtering to restrict remote access to the management interface is also highly recommended.

According to researchers from Symantec, after the worm exploits the flaw to create a backdoor account, it adds a firewall rule in order to block legitimate administrators from accessing the Web-based management interface. It also copies itself to the rc.poststart script in order to ensure that it persists across device reboots.

"So far this malware doesn’t seem to perform any other activities beyond creating a back door account, blocking access to the device, and spreading to other routers," the Symantec researchers said in a blog post Thursday. "It’s likely that the attackers behind this campaign may be spreading the worm for the sheer challenge of it. It could also be evidence of an early, exploratory phase of a larger operation."

Ubiquiti Networks has also created a Java-based application that can automatically remove the infection from affected devices. It can be used on Windows, Linux and OS X.

Router security is particularly bad in the consumer market, where large numbers of routers can remain vulnerable to known vulnerabilities for years and can be compromised en masse to create distributed denial-of-service (DDoS) botnets or to launch man-in-the-middle attacks against their users.

In the past, attackers have managed to hijack hundreds of thousands of home routers by simply trying out default or common usernames and passwords. Users should always change the default administrator password when installing their router and should disable remote access to its management interface unless this functionality is needed.


Follow Us

Join the newsletter!

Or
Error: Please check your email address.

Featured

Slideshows

Bumper channel crowd kicks off first After Hours of 2018

Bumper channel crowd kicks off first After Hours of 2018

After Hours made a welcome return to the channel social calendar with a bumper crowd of partners, distributors and vendors descending on The Jefferson in Auckland to kick-start 2018. Photos by Gino Demeer.

Bumper channel crowd kicks off first After Hours of 2018
Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Show Comments