Malware, Patch/Configuration Management, Vulnerability Management

Ubiquiti warns of worm using known exploit on outdated AirOS firmware


A worm that made its way into Ubiquiti Networks equipment through outdated AirOS firmware has wreaked havoc on ISPs and others in the U.S. Brazil, Argentina and Spain that use the Ubiquiti networking platform, according to an “urgent” warning posted by the company on a user forum.

“From the samples we have seen there are 2 different payloads that uses [sic] the same exploit,” the company wrote. “We have confirmed these variations are using a known exploit that was reported and fixed last year.”

Symantec Security Response noted in a blog that the malware is not doing anything nefarious, but the malicious phase of the attack may be just down the road.

"So far this malware doesn't seem to perform any other activities beyond creating a back door account, blocking access to the device, and spreading to other routers. It's likely that the attackers behind this campaign may be spreading the worm for the sheer challenge of it. It could also be evidence of an early, exploratory phase of a larger operation," the blog stated.

The http/https exploit does not require authentication so devices can be infected simply if a radio is on outdated firmware and its http/https interface is exposed to the internet. The company urged “restricting all access to management interfaces via firewall filtering.” The warning also recommended “updating to 5.6.5 unless using legitimate rc. scripts,” in which case 5.6.4 should be run “for the time being.”

Release 5.6.5 disables custom scripts usage, enables syslog by default and offers security updates for malware scripts check and removal.

“Enterprises have a well established relationship with their vendors and are generally alerted quickly of updates to the products used in their environment. On the consumer side, that relationship is generally non-existent.  Few consumer products are built to install updates automatically,” Travis Smith, senior security research engineer at Tripwire, said in comments emailed to “Unless the end-user registered their product when it was purchased, the vendor doesn't have a clear path to alert the user of known vulnerabilities. Out of sight, out of mind.”

Consumers don't typically “bother going back…to check for updates,” Smith said. “Even when vendors are responsible and provide updates quickly, the consumer also has the responsibility to make sure we install the updates when available.”

Updated to include Symantec blog quote.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.