#VU17373 DDoS attack in Ubiquiti Networks products

Cybersecurity Help s.r.o.

Published: 2019-02-05 | Updated: 2019-02-06

Vulnerability identifier: #VU17373

Vulnerability risk: High

CVSSv4.0: 8.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: N/A

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PowerBeam
Hardware solutions / Firmware
LiteBeam
Hardware solutions / Firmware
AirGrid
Hardware solutions / Firmware
NanoStation
Hardware solutions / Firmware

Vendor: Ubiquiti Networks

Description
The vulnerability allows a remote attacker to conduct DDoS attack.

The weakness exists due to a flaw in a "discovery service" running on port 10001/UDP. A remote attacker can send small packets of 56 bytes to port 10001/UDP on Ubiquiti devices, which are reflecting and relaying the packets to a target's IP address amplified to a size of 206 bytes (amplification factor of 3.67).

Note: the vulnerability has been actively exploited since July 2018.

Mitigation
The vendor has released a workaround, and is in the process of putting together an official fix.
https://community.ubnt.com/t5/EdgeRouter/UDP-broadcasts-on-port-10001/td-p/461223

Vulnerable software versions

PowerBeam: All versions

LiteBeam: All versions

AirGrid: All versions

NanoStation: All versions

External links
https://twitter.com/troutman/status/1090212243197870081
https://blog.rapid7.com/2019/02/01/ubiquiti-discovery-service-exposures/
https://www.us-cert.gov/ncas/alerts/TA14-017A

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.

Latest bulletins with this vulnerability

DDoS attack in Ubiquiti devices