Over 485,000 Ubiquiti devices vulnerable to new attack

[Moltuae]

Over 485,000 Ubiquiti devices vulnerable to new attack
Full Article: https://www.zdnet.com/article/over-485000-ubiquiti-devices-vulnerable-to-new-attack/

Ubiquiti Networks is working on a fix for a newly discovered security issue affecting its devices that attackers have been exploiting since July last year.

The issue impacts over 485,000 devices, according to an internet scan conducted by US cyber-security firm Rapid7.

In a security alert published by Rapid7, senior security researcher Jon Hart explained that attackers are exploiting a "discovery service" running on port 10,001, which Ubiquiti Networks included in its devices so the company and internet service providers (ISPs) can use it to find Ubiquiti equipment on the internet and in closed networks.

Hart said the amplification factor of this service can go up to 30-35, posing the real danger that attackers could find a way to weaponize this service and carry out DDoS attacks in excess of 1Tbps, which Hart described as "a crippling amount of traffic to all but the most fortified infrastructure."

The Rapid7 researcher said that the only good news at the moment is that this discovery protocol "does not appear to suffer from multi-packet responses," making exploitation extremely hard for the time being, as attackers can only "reflect" small amounts of DDoS traffic.

Hart says that this discovery port isn't specific to one Ubiquiti device, and is found on a wide variety of the vendor's equipment, such as NanoStation (172,000 devices), AirGrid (131,000 devices), LiteBeam (43,000 devices), PowerBeam (40,000), and others.

 

[wavey]

Gulp!

 

[YeOldeStonecat]

Ubiquitis response to the overhyped article..
https://twitter.com/ubnt/status/109...ubf-4z5FQzvMZ3IfTFWr_AKk5_p1v6Q0DjIHYiJh8N9kA

Who exposes internal devices management interfaces on public IPs? Most networks are built behind a firewall and NAT....so this issue is a non issue at that point. Additionally, management ports secured even further, such as on a special VLAN, or tucked behind another NAT.