A security researcher warned that internet-facing Ubiquiti devices were exposed to potentially future cyber attacks. Rapid7 confirmed in a blog post that attackers could exploit the device services over port 10001/UDP and use the devices to launch future DDoS attacks.
Ubiquiti is known for making wireless data communication products for enterprise and wireless broadband providers.
The researcher, Jim Troutman, tweeted out about the vulnerability last week:
“Heads up! Ubiquiti networks devices are being remotely exploited, via port 10001 discovery service. Results in loss of device management, also being used as a weak UDP DDoS amplification attack: 56 bytes in, 206 bytes out.”
The UDP service is used for multiple tasks, such as service discovery of
Ubiquiti devices in a managed environment. Unfortunately, the UDP protocol is vulnerable to UDP amplification vulnerabilities and cyber attacks, which have been warned about by US-CERT and others going back to 2014.
After being informed of the threat, Rapid7 performed some additional research and discovered nearly 500K unique devices with port 10001/UDP open. A subset of these are already being exploited.
“It seems that attackers have already identified additional problems with these devices and have exploited over 17,000 of them, as evinced by the defaced hostnames,” Rapid7 noted in the blog post.
Rapid7 recommended affected organizations audit their devices for external exposure and restrict/control access to the service as needed (e.g., firewall, ACL rules) or disable the affected service altogether.