Number: AL16-010
Date: 20 May 2016
Purpose
The purpose of this alert is to bring attention to a disclosed vulnerability in Ubiquiti airOS devices that is being actively exploited.
Assessment
CCIRC is aware of attacks exploiting a critical vulnerability in Ubiquiti airOS. A patch addressing this vulnerability was released by Ubiquiti in 2015.
Unauthenticated access to a vulnerable airOS device's HTTP/HTTPS web interface (generally enabled by default) is required for exploitation. Devices with this web interface accessible from the internet are especially susceptible to exploitation, however it appears that exploited devices are able to compromise other vulnerable devices within the same network.
Exploitation of this vulnerability could allow an attacker to have root privilege on a device.
Affected products:
airMAX M (including airRouter)
airMAX AC
airOS 802.11G
ToughSwitch
airGateway
airFiber
Suggested action
Due to the potential risk presented by this vulnerability, CCIRC recommends that system administrators scan their infrastructure for potentially vulnerable systems and follow the vendor recommendations outlined in their Security Notice.
References
Symantec article:
http://www.symantec.com/connect/blogs/thousands-ubiquiti-airos-routers-hit-worm-attacks
Ubiquiti Notice:
http://community.ubnt.com/t5/airMAX-Updates-Blog/Important-Security-Notice-and-airOS-5-6-5-Release/ba-p/1565949