An official response to Worm exploit of un-patched AirOS devices.
Source http://community.ubnt.com/t5/blogs/blogarticleprintpage/blog-id/Blog_airMAX/article-id/363
- Ubiquiti Networks Community
- :
- airMAX
- :
- airMAX Updates Blog
- :
- Important Security Notice and airOS 5.6.5 Release
Important Security Notice and airOS 5.6.5 Releaseby UBNT-James 2 weeks ago - last edited a week ago HI Everyone,
There have been several reports of infected airOS M devices over the last week. From the samples we have seen, there are 2 different payloads that uses the same exploit. We have confirmed these variations are using a known exploit that was reported and fixed last year.
This is an HTTP/HTTPS exploit that doesn't require authentication. Simply having a radio on outdated firmware and having it's http/https interface exposed to the Internet is enough to get infected. We are also recommending restricting all access to management interfaces via firewall filtering.
Devices running the following firmware are OK, but we recommend updating to 5.6.5 unless using legitimate rc. scripts. Users using legitimate rc.scripts should run 5.6.4 for the time being.
airMAX M (Including airRouter)
AirMAX AC
airOS 802.11G
ToughSwitch
airGateway
airFiber
Removal tool.
CureMalware-0.8.jar (Please download via browser.)
Updated CureMalware to v0.8.
0.7 -> 0.8
Update:
This tool requires Java and will run on OSX/Linux and Windows. It will search for and remove both variants we have seen, and their baggage. It has the option to upgrade firmware to 5.6.5. Beware that 5.6.5 removes _all_ rc.scripts and the ability to use them. Please use check and cure only if you are using legitimate rc.scripts.
NOTE: This tool will only automatically updated airOS M devices.
Usage:
java -jar CureMalware-0.8.jar
Example: C:\Users\ubnt\Downloads>java -jar CureMalware-0.7.jar Skynet/PimPamPum/ExploitIM malware removal tool v0.7 for Ubiquiti devices Copyright 2006-2016, Ubiquiti Networks, Inc. <[email protected]> This program is proprietary software; you can not redistribute it and/or modify it without signed agreement with Ubiquiti Networks, Inc. Possible formats for IP(s): IP <192.168.1.1> IP list <192.168.1.1, 192.168.1.2> IP range <192.168.1.1-192.168.1.254> Enter IP(s): 192.168.1.31 Possible actions: Check [1] Check and Cure [2] Check, Cure and Update [3] Enter action <1|2|3>: 3 Enter ssh port [22]: Enter user name [ubnt]: ubnt Reuse password <y|n>[y]: y Processing [email protected]:22 ... Password for [email protected]: Checking... CRITICAL: Infected by exploitim WARNING: User Script(s) is(are) installed: /etc/persistent/rc.poststart Review/remove manually! Done. Cleaning... Done. IT IS STRONGLY RECOMMENDED TO CHANGE PASSWORD ON CURED DEVICE! IT IS STRONGLY RECOMMENDED TO RUN CURED+UPDATE PROCEDURE! Preparing Upgrade... Done. Uploading firmware: /firmwares/XM.bin ... Sending... [%100] Done. Upgrading... Current ver: 329220 New version: 329221 No need to fix. Writing 'u-boot ' to /dev/mtd0(u-boot ) ... [%100] Writing 'kernel ' to /dev/mtd2(kernel ) ... [%100] Writing 'rootfs ' to /dev/mtd3(rootfs ) ... [%100] Done.
Manual Removal:
Make sure there is no unknown users and ssh keys in system.cfg: grep -E "users|sshd.auth.key" /tmp/system.cfg We recommend removing all custom scripts is you are not using them: rm -fr /etc/persistent/rc.* /etc/persistent/profile Then cfgmtd -w -p /etc/; reboot -f If you also are not using ssh key authentication then it is recommended to clean persistent: cfgmtd -w; reboot -f
Firmware:
http://www.ubnt.com/downloads/XN-fw-internal/v5.6.5/XW.v5.6.5.29033.160515.2108.bin
For users running Verizon fix firmware on XM based devices. http://www.ubnt.com/downloads/XN-fw-internal/v5.6.5/XM.v5.6.5-cpu400.29033.160515.2119.bin
For suggested best security practices, please see Securing airOS.
|