Jim Troutman, Consultant and Director of NNENIX, disclosed on Twitter that attackers are remotely exploiting Ubiquity networking devices exposed via a UDP port 10001.
“Heads up! Ubiquiti networks devices are being remotely exploited, via port 10001 discovery service. Results in loss of device management, also being used as a weak UDP DDoS amplification attack: 56 bytes in, 206 bytes out,” Troutman tweeted.
Devices exploited via UDP port 10001
Rapid7 security team carried out investigations and found out that the issue has been active since last summer and has impacted over 485,000 Ubiquiti devices. Ubiquiti Networks acknowledged the issue and is working on a fix.
A senior security researcher at Rapid7, Jon Hart described that attackers are exploiting a ‘discovery service’ running on port 10001, which Ubiquiti Networks included in its devices so the company and internet service providers (ISPs) can use it to find Ubiquiti equipment on the internet and in closed networks.
“The amplification factor is 30-35x but does not appear to suffer from multi-packet responses, at least with what is known today. With such a large quantity of potentially vulnerable devices exposed, a DoS harnessing the available bandwidth and power of these systems could be used to conduct an attack in excess of 1Tbps, which is a crippling amount of traffic to all but the most fortified infrastructure,” Hart explained in the blog.
Majority of the devices were located in Brazil
Researchers conducted a internet scan using the Rapid7’s Sonar project and detected almost 485,000 devices accessible on UDP Port 10001. Most of the devices were located in Brazil, followed by the US, Spain, and other countries.
A majority of the exposed Ubiquity devices are NanoStation (172,000), AirGrid (131,000), LiteBeam (43,000), PowerBeam (40,000), and NanoBeam (21,000) products. Of the 485,000 devices accessible on the UDP port 10001, 17,000 devices have already been defaced, implying that these devices are most likely running outdated firmware.
The Rapid7 research team have reported these findings to Ubiquiti and has notified US-Cert (VU#993645), and CERT Brazil.