An official response to Worm exploit of un-patched AirOS devices. 

Source http://community.ubnt.com/t5/blogs/blogarticleprintpage/blog-id/Blog_airMAX/article-id/363



UBNT-James

Important Security Notice and airOS 5.6.5 Release

by Ubiquiti Employee UBNT-James 2 weeks ago - last edited a week ago

 HI Everyone,

 

There have been several reports of infected airOS M devices over the last week.  From the samples we have seen, there are 2 different payloads that uses the same exploit.  We have confirmed these variations are using a known exploit that was reported and fixed last year.

 

This is an HTTP/HTTPS exploit that doesn't require authentication.  Simply having a radio on outdated firmware and having it's http/https interface exposed to the Internet is enough to get infected.  We are also recommending restricting all access to management interfaces via firewall filtering.

 

Devices running the following firmware are OK, but we recommend updating to 5.6.5 unless using legitimate rc. scripts.  Users using legitimate rc.scripts should run 5.6.4 for the time being.  

 

airMAX M (Including airRouter)

  • 5.5.11 XM/TI
  • 5.5.10u2 XM
  • 5.6.2+ XM/XW/TI

 AirMAX AC

  • 7.1.3+

airOS 802.11G

  • 4.0.4

 ToughSwitch

  • 1.3.2

 airGateway

  • 1.1.5+

 airFiber 

  • AF24/AF24HD 2.2.1+ 
  • AF5x 3.0.2.1+
  • AF5 2.2.1+

 

 

Removal tool.

 

CureMalware-0.8.jar  (Please download via browser.)

 

Updated CureMalware to v0.8.

 

0.7 -> 0.8

 

Update:
* force device reboot after cure action
* check and remove the same set of files if infected
* extend files to be checked for infection
* use the same user and password as current connection to be stored to config
* remove unused content before upgrade to have enough space for upgrade

 

This tool requires Java and will run on OSX/Linux and Windows.  It will search for and remove both variants we have seen, and their baggage.  It has the option to upgrade firmware to 5.6.5.  Beware that 5.6.5 removes _all_ rc.scripts and the ability to use them.  Please use check and cure only if you are using legitimate rc.scripts.

 

NOTE: This tool will only automatically updated airOS M devices.

 

Usage:

 

java -jar CureMalware-0.8.jar

 

Example:

C:\Users\ubnt\Downloads>java -jar CureMalware-0.7.jar
Skynet/PimPamPum/ExploitIM malware removal tool v0.7 for Ubiquiti devices

Copyright 2006-2016, Ubiquiti Networks, Inc. <[email protected]>

This program is proprietary software; you can not redistribute it and/or modify
it without signed agreement with Ubiquiti Networks, Inc.
Possible formats for IP(s):
IP <192.168.1.1>
IP list <192.168.1.1, 192.168.1.2>
IP range <192.168.1.1-192.168.1.254>
Enter IP(s): 192.168.1.31
Possible actions:
Check [1]
Check and Cure [2]
Check, Cure and Update [3]
Enter action <1|2|3>: 3
Enter ssh port [22]:
Enter user name [ubnt]: ubnt
Reuse password <y|n>[y]: y
Processing [email protected]:22 ...
Password for [email protected]:
Checking...
CRITICAL: Infected by exploitim
WARNING: User Script(s) is(are) installed:
/etc/persistent/rc.poststart
Review/remove manually!
Done.
Cleaning...
Done.
IT IS STRONGLY RECOMMENDED TO CHANGE PASSWORD ON CURED DEVICE!
IT IS STRONGLY RECOMMENDED TO RUN CURED+UPDATE PROCEDURE!
Preparing Upgrade...
Done.
Uploading firmware: /firmwares/XM.bin ...
Sending... [%100]
Done.
Upgrading...
Current ver: 329220
New version: 329221
No need to fix.
Writing 'u-boot         ' to /dev/mtd0(u-boot         ) ...  [%100]
Writing 'kernel         ' to /dev/mtd2(kernel         ) ...  [%100]
Writing 'rootfs         ' to /dev/mtd3(rootfs         ) ...  [%100]
Done.

 

Manual Removal:

 

 

Make sure there is no unknown users and ssh keys in system.cfg:

grep -E "users|sshd.auth.key" /tmp/system.cfg
 
We recommend removing all custom scripts is you are not using them:
rm -fr /etc/persistent/rc.* /etc/persistent/profile
 
Then 
cfgmtd -w -p /etc/; reboot -f
 
If you also are not using ssh key authentication then it is recommended to clean persistent:
cfgmtd -w; reboot -f

 

 

Firmware:


We are releasing 5.6.5 with the following changes.

 

  •  New: Disable custom scripts usage
  •  New: Enable syslog by default
  •  Fix: Security updates (malware scripts check and removal)

 

http://www.ubnt.com/downloads/XN-fw-internal/v5.6.5/XW.v5.6.5.29033.160515.2108.bin
http://www.ubnt.com/downloads/XN-fw-internal/v5.6.5/XM.v5.6.5.29033.160515.2119.bin
http://www.ubnt.com/downloads/XN-fw-internal/v5.6.5/TI.v5.6.5.29033.160515.2058.bin

 

For users running Verizon fix firmware on XM based devices.

http://www.ubnt.com/downloads/XN-fw-internal/v5.6.5/XM.v5.6.5-cpu400.29033.160515.2119.bin

 

For suggested best security practices, please see Securing airOS.