Active Exploitation of Vulnerability in Ubiquiti airOS Devices

Number: AL16-010
Date: 20 May 2016

Purpose

The purpose of this alert is to bring attention to a disclosed vulnerability in Ubiquiti airOS devices that is being actively exploited.

Assessment

CCIRC is aware of attacks exploiting a critical vulnerability in Ubiquiti airOS.  A patch addressing this vulnerability was released by Ubiquiti in 2015.

Unauthenticated access to a vulnerable airOS device's HTTP/HTTPS web interface (generally enabled by default) is required for exploitation.  Devices with this web interface accessible from the internet are especially susceptible to exploitation, however it appears that exploited devices are able to compromise other vulnerable devices within the same network.

Exploitation of this vulnerability could allow an attacker to have root privilege on a device.

Affected products:
airMAX M (including airRouter)
airMAX AC
airOS 802.11G
ToughSwitch
airGateway
airFiber

Suggested action

Due to the potential risk presented by this vulnerability, CCIRC recommends that system administrators scan their infrastructure for potentially vulnerable systems and follow the vendor recommendations outlined in their Security Notice.

References

Symantec article:
http://www.symantec.com/connect/blogs/thousands-ubiquiti-airos-routers-hit-worm-attacks

Ubiquiti Notice:
http://community.ubnt.com/t5/airMAX-Updates-Blog/Important-Security-Notice-and-airOS-5-6-5-Release/ba-p/1565949

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: