#Ubiquiti device discovery tool. mac#
This showed 498,624 unique IPv4s with port 10001/UDP open, 487,021 unique IPv4s confirmed to be speaking this discovery protocol, and 486,388 unique physical devices based on MAC address tuples found in the responses. In order to understand more about this issue and inform fellow defenders in the information security community, we performed a Sonar study of port 10001/UDP, where we collected and analyzed the responses by parsing out the distinct fields returned in UDP payload. It is unclear what other capabilities exist in this service, but it would not be surprising if there were other management capabilities baked in or nearby. With such a large quantity of potentially vulnerable devices exposed, a DoS harnessing the available bandwidth and power of these systems could be used to conduct an attack in excess of 1Tbps, which is a crippling amount of traffic to all but the most fortified infrastructure.
The amplification factor is 30-35x but does not appear to suffer from multi-packet responses, at least with what is known today. At least this portion of the protocol is quite simple, requiring a simple 4-byte message that elicits a large response including the name, model, firmware version, IPs, MACs, and sometimes the ESSID if it is a wireless device of some manner. Research has learned that this service is used for a variety of things, including device discovery to facilitate easily locating of Ubiquiti devices in a managed environment. Ubiquiti recently acknowledged that this was an issue, has released a workaround, and is in the process of putting together an official fix. Quick sleuthing by the security community showed that this issue has been brewing since the summer of 2018.
29, the Rapid7 Labs team was informed of an interesting tweet by Jim Troutman indicating that Ubiquiti devices were being exploited and used to conduct denial-of-service (DoS) attacks using a service on 10001/UDP. Last updated at Thu, 14:21:28 GMT Introduction
0 kommentar(er)
