Alert - Active Exploitation of Vulnerability in Ubiquiti airOS Devices

Number: AL16-010
Date: 20 May 2016

Purpose

The purpose of this alert is to bring attention to a disclosed vulnerability VulnerabilityA flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations. in Ubiquiti airOS devices that is being actively exploited.

Assessment

CCIRC is aware of attacks exploiting a critical vulnerability in Ubiquiti airOS.  A patch addressing this vulnerability was released by Ubiquiti in 2015.

Unauthenticated access to a vulnerable airOS device's HTTP/HTTPS web interface InterfaceA boundary across which two systems communicate. An interface might be a hardware connector used to link to other devices, or it might be a convention used to allow communication between two software systems. (generally enabled by default) is required for exploitation.  Devices with this web interface accessible from the internet are especially susceptible to exploitation, however it appears that exploited devices are able to compromise CompromiseThe intentional or unintentional disclosure of information, which adversely impacts its confidentiality, integrity, or availability. other vulnerable devices within the same network.

Exploitation of this vulnerability could allow an attacker to have root privilege on a device.

Affected products:
airMAX M (including airRouter)
airMAX AC
airOS 802.11G
ToughSwitch
airGateway
airFiber

Suggested action

Due to the potential risk presented by this vulnerability, CCIRC recommends that system administrators scan their infrastructure for potentially vulnerable systems and follow the vendor recommendations outlined in their Security Notice.

References

Symantec article:
http://www.symantec.com/connect/blogs/thousands-ubiquiti-airos-routers-hit-worm-attacks

Ubiquiti Notice:
http://community.ubnt.com/t5/airMAX-Updates-Blog/Important-Security-Notice-and-airOS-5-6-5-Release/ba-p/1565949