Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Flaw Possibly Affecting 500,000 Ubiquiti Devices Exploited in the Wild

Nearly half a million Ubiquiti devices may be affected by a vulnerability that has already been exploited in the wild, security experts warned last week.

Nearly half a million Ubiquiti devices may be affected by a vulnerability that has already been exploited in the wild, security experts warned last week.

Jim Troutman, consultant and director of the Northern New England Neutral Internet Exchange (NNENIX), revealed last week on Twitter that hackers had been remotely targeting Ubiquiti networking devices exposed via a discovery service accessible on UDP port 10001.

Troutman said attackers had been launching denial-of-service (DoS) attacks that caused a device’s management features to become unavailable. He also warned that it’s possible to exploit the flaw for weak distributed DoS (DDoS) attacks.

The issue has been discussed on Ubiquiti forums since at least last summer and Rapid7 has reported seeing traffic destined for port 10001 for more than a year. However, Ubiquiti appears to have been aware of the weakness and it alerted users after Troutman’s warning on Twitter.

The vendor claims it has been working on a firmware update that should address the problem. In the meantime, it has advised users to block the problematic port at the network perimeter as a temporary workaround.

Interestingly, the company told customers that the flaw cannot be exploited to “create a DDoS attack.” It also told users that the vulnerability does not allow an attacker to gain control of devices.

However, Troutman, who says Ubiquiti’s suggested workaround could disrupt some services, claims to have seen DDoS amplification attacks, but with a fairly small amplification rate (“56 bytes in, 206 bytes out”). He is also not convinced that it’s not possible to exploit the vulnerability to remotely hack devices.

Rapid7 researchers have also monitored these attacks and warned that the problematic service could have other management capabilities either “baked in or nearby.” As for the possibility of DDoS attacks, Rapid7’s Jon Hart noted in a blog post that UDP amplification vulnerabilities can typically allow attacks with an amplification rate that reaches up to 30-35X.

Advertisement. Scroll to continue reading.

An Internet scan conducted using Rapid7’s Sonar project revealed roughly 490,000 unique devices accessible on UDP port 10001. More than half are located in Brazil, but significant numbers have also been identified in the United States, Spain and other countries.

Location of exposed Ubiquity devices

A majority of the exposed Ubiquiti devices are NanoStation (172,000), AirGrid (131,000), LiteBeam (43,000), PowerBeam (40,000), and NanoBeam (21,000) products.

The names of 17,000 of these devices – they contain the string “HACKED-ROUTER-HELP-SOS” – suggest that they have already been hacked via other vulnerabilities. This is not surprising as Rapid7 claims most of the discovered devices are running outdated versions of the firmware.

Related: Worm Infects Many Ubiquiti Devices via Old Vulnerability

Related: Critical Flaw Exposes Many Ubiquiti Devices to Attacks

Related: Flaw Allows Hackers to Find Ubiquiti Devices Exposed to Web

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.