Possible Ubiquity vulnerability
February 6, 2019 at 11:25 am #30455ParticipantTippon@tippon
@ricedg I just saw this on Google news and thought you might want to know, just in case.
February 6, 2019 at 2:45 pm #30462
Thanks for that Tippon. I don’t open Port 10001 as I have no wish for my APs to be discoverable by the public.
The article intimates that this is somehow enabled by Ubiquiti which it isn’t, it cannot control your firewall. The mind boggles as to why so many organisations decided it was a good idea to open this port, it absolutely is not required to manage these devices remotely.February 6, 2019 at 5:17 pm #30467Participantblacklion1725@blacklion1725Forumite Points: 3,338
Cheers both – got one serving my garden – have no port forwarding at all on my router except 21/22 for FTP (to the router itself) – assuming I don’t need to do anything as I have never opened that port? Ta.February 6, 2019 at 8:11 pm #30484
No need to do anything. I still can’t understand why people have done it. Probably just read a list of the ports used and slavishly opened them all.February 6, 2019 at 8:30 pm #30487ParticipantThe Duke@sgb101Forumite Points: 11,408
I’ve never used a ubiquity router/setup, but isn’t the whole point is that it’s managed in the cloud then updated. So you have no need to personally manage the hardware?
Just asking our of curiosity. I was going to go all fancy when my asus give up the ghost, but instead just went to curry’s and got a tp link job that’s better than the Asus it replaced. A quick and staigjt replacent, and I got rid of the white bt FTTC modem thing.
What are them FTTC modem things called? Had it about 5 years and never knew. Always refers to it as the BT white box.February 6, 2019 at 9:37 pm #30491Participantblacklion1725@blacklion1725Forumite Points: 3,338
Duke there are Wireless Access Points rather than routers. they can be cloud or local managed. I have to say after some teething troubles they are the mutt’s nuts. Panic over in any case.February 7, 2019 at 9:12 am #30505
Let me explain a bit how they work.
At setup the AP (or other bit of kit) is told the local IP address or http url of it’s controller. After that it then contacts the controller but in the case of a Cloud controller, as it’s behind a NAT router the outgoing port will be random (the router decides). So you don’t open any ports on the local router. The Cloud controller needs to have certain inbound ports open on it’s local router which it listens to. Remember Port Forwarding sends traffic to a specific local IP address and not onto the local network.
When you are setting up you can SSH to the AP (it’s Linux) and tell it the controllers address, or the controller can discover the AP. It does this via port 10001. Now the controller has no local interface whatsoever, it’s off in the Cloud how could it? you access it via a web browser. So when I’m setting up an AP I am inside my own network on my laptop and the controller is in the cloud. I can discover APs local to me via my browser client. My browser client then sends the controllers url to the AP and off they go. Once the AP has been set up it can be moved anywhere in the world and just needs internet access to talk to the controller. No outbound ports required.
So why open up port 10001? The only thing would be to discover an AP on another network and it could only be a single AP that you already know the IP address of (that’s how Port Forwarding works). Makes no sense.
To me it shows just how much IT security is in the hands of people without the necessary skills. It is absolutely not the fault of Ubiquiti that these ports are open. However I’m sure they’ll be working on the vulnerability to protect the idiots that do.
To sum up. If you buy an AP from Broadbandbuyer and have them set it up on their (free for 3 years) cloud controller there is no risk. If you buy one and have your own local controller, there is no risk. If you manage APs on behalf of others via a Cloud controller don’t open Port 10001 on the customers network you muppet. In fact just leave their router alone.February 7, 2019 at 11:39 am #30509ParticipantEd P@edpsForumite Points: 15,611
Dave, if you put a new local device on any Wi-Fi network it needs an open port to perform its initiation, get passwords etc. Is that port 10001? It is normally reserved for SCP configuration, which I guess includes new devices.
Incidentally this thread implies the Ubiquity may not be totally water-white.February 7, 2019 at 12:16 pm #30513
Ed, it’s all happening inside the same subnet, routers are not involved. As it’s Linux I’m guessing SCP is involved somewhere.
The thread you posted is for an ERL, which is an EdgeMax Router. It’s trying to discover local devices in the same local subnet(s) attached to it. You would not open a port in your external firewall to allow it to do this.
The same thing happens with my controller client on the browser, it sends out a local broadcast on 10001. Auto discovery can be turned off but as it’s all local why would you?
The vulnerability is all about people who have opened a port to allow incoming traffic on 10001 on a public facing router.
EDIT the EdgeMax router uses the same url method to talk to it’s controller. The same controller is used to manage all “UniFi” devices which include switches etc. You get an overview of whats happening and management of an entire site and a controller can manage multiple sites (that’s down to the hardware specs). I manage 20+ sites and 30+ devices from a 1 CPU 1GB ram 25GB HDD $5 a month cloud server and it’s not breaking sweat.
- You must be logged in to reply to this topic.