Offene Ubiquiti-Device-Discovery-Dienste
Openly accessible Ubiquiti Device Discovery services
Ubiquiti network devices come with a 'Device Discovery' service which is enabled by default and listening on port 10001/udp.
Problem
Ubiquiti Device Discovery services openly accessible from the Internet disclose potentially sensitive information about the network device running the service and can be abused for performing DDoS reflection/amplification attacks against third parties.
Verification
In this section, we show how to check a host for an openly accessible service. All tests are performed using tools commonly included with standard Linux/Unix distributions. To verify the service is openly accessible from the Internet, the test should not be run on the host itself or the local network but instead from a different node on the Internet, for example a host on a cable/DSL line. In all examples, replace 192.168.45.67 with the IP address of the host to check.
To check if a Ubiquiti Device Discovery service is openly accessible from the Internet, you can use 'netcat' as follows:
$ echo -ne "\x01\x00\x00\x00" | netcat -u 192.168.45.67 10001 | hexdump -C
An openly accessible Device Discovery service will return information like this:
00000000 01 00 00 8e 02 00 0a XX XX XX XX XX XX 50 95 fb |.......MACADR...|
00000010 67 02 00 0a 44 d9 e7 XX XX XX c0 a8 37 01 01 00 |g...D.......7...|
00000020 06 44 d9 e7 XX XX XX 0a 00 04 00 28 f5 ca 0b 00 |.D.........(....|
00000030 0f XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX |...DEVICE_NAME..|
00000040 0c 00 03 4c 4d 35 0d 00 XX XX XX XX XX XX XX XX |...LM5....ESSID.|
00000050 0e 00 01 02 03 00 20 58 XX XX XX XX XX XX XX XX |.......FIRMWARE.|
Solution
Disable the Device Discovery service if not required.
Otherwise, restrict access to trusted clients, for example by blocking incoming connections to port 10001/udp on the firewall.
