Epmp hacked? unexplainable traffic/malware?

We have something spreading through our EPMP network and can’t seem to narrow down what it is.
We have UBNT devices as well that do not seem to be affected at this time.

Somehow the traffic seems to be redirecting on the client devices on the other side of the router, all traffic is being redirected. They disconnect from the network, cellular network works fine.
Any website they browse to redirects them to 4 or 5 different pages, for example dussbn.lightexercisbroad.xyz.
We have been resetting the radios and it seems to fix it for a day or so and then it happens again.
We’ve upgraded firmware, changed passwords, and the radio seems to still be redirecting traffic.
We’ve confirmed there are different routers on the client side, so wouldn’t think it’s the client router.
Common variable seems to be EPMP radios.
Has anyone seen this or have any explanation as to why or how this is happening?
Thoughts?

Thanks in advance,

Ryo

5 Likes

Sounds like this - which Cambium hasn’t commented on yet that I can see

3 Likes

Nope, seems to be 1000’s or 180’s.
Well figured out why the radios are doing it, just havent figured out how.
They are updating the client side dns setting.
Changing the password doesn’t seem to help, so something is changing the radios another way?

What about the snmp string?
I thought that was read only, can something change a setting through default settings without a password?

Thanks,
Ryo

Going through our radios there seems to be a lot that have been hit with whatever this is.
Does anyone know what variable or macros are available to change the ‘DHCP DNS IP address’ setting through cnmaestro via a template?
I can start changing them one by one, but would much rather apply a template because from the looks of it will just happen again.
Thanks in advance for the assistance,
Ryo

It’d be good to get some comment from Cambium - this is a pretty critical situation.
I’m not sure who to tag exactly?
@Fedor @Chinmay_K @Simon_King

So, perhaps we all ‘just’ need to push a template to everything via cnMaestro to either change the installer password, or to disable the installer account then? I mean, it should already be – but incase there are virgin ones out there, that probably would mitigate it?

Here’s a ‘how to’ to create an push a template to change passwords via cnMaestro:

2 Likes

On my first test, that example from Cambium seems to have reset the radio back to some default info (such as it’s device name), and caused a reboot in the process. SO, that might not be the best instructions (or maybe I did it incorrectly?)

1 Like

Wow, good catch brubble1.
The installer account is enabled and default password…
LOL, well that’s just kinda terrible, I’m surprised it took someone this long to hack it.
Dang…

So I don’t have to manually go in and disable every installer account on 100’s of radios anyone know how to do that with cnmaestro?
I guess I need to modify the client DNS settings and disable the installer account.
Any idea?

I saw the template the change the password, I guess I should at least do that like yesterday.
I’m surprised no one else has seen this, unless everyone already knew to change that password or disable that account. I guess I missed that memo… :frowning:
Thanks for the feedback,
Ryo

To create a new template that you can push out to devices onboarded into cnMaestro, first create a template:

Press the “Add Template” button on the right hand side, here’s an example:

You’ll want to use the following JSON script to disable all accounts other then the admin account:

{
	"device_props": {
		"cambiumSysAccountsTable": [{
				"cambiumSysAccountsName": "installer",
				"cambiumSysAccountsHash": "!$1$yHIXrXnB$tr\/Na771wSO4\/dv8yCvmU\/",
				"cambiumSysAccountsUID": "2000",
				"cambiumSysAccountsGID": "100",
				"cambiumSysAccountsDir": "\/tmp",
				"cambiumSysAccountsShell": "\/bin\/false"
			},
			{
				"cambiumSysAccountsName": "home",
				"cambiumSysAccountsHash": "!$1$\/Bv9wvkq$5lBZqqsoAJj4uYOhb7pOS0",
				"cambiumSysAccountsUID": "3000",
				"cambiumSysAccountsGID": "100",
				"cambiumSysAccountsDir": "\/tmp",
				"cambiumSysAccountsShell": "\/bin\/false"
			},
			{
				"cambiumSysAccountsName": "readonly",
				"cambiumSysAccountsHash": "!$1$zn4\/PlCl$1qP9PGmPChDwkDAgp5Qgw0",
				"cambiumSysAccountsUID": "4000",
				"cambiumSysAccountsGID": "100",
				"cambiumSysAccountsDir": "\/tmp",
				"cambiumSysAccountsShell": "\/bin\/false"
			},
			{
				"cambiumSysAccountsName": "dashboard",
				"cambiumSysAccountsHash": "$1$Y9oz6eRg$ysokBk9VZCGo4AN6WQgVF0",
				"cambiumSysAccountsUID": "5000",
				"cambiumSysAccountsGID": "100",
				"cambiumSysAccountsDir": "\/tmp",
				"cambiumSysAccountsShell": "\/bin\/false"
			}
		]
	}
}

After you’ve made the template, you can then push it out to ePMP radios (both AP and SM) that are onboard and communicating with cnMaestro. Click on ‘Monitor and Manage’, then select ‘System’ network entry, then click the ‘Configuration’ tab near the top middle of the console. Set the device type to ePMP, and then select the newly created template. Then select the ePMP radios you’d like to push the change out to:

Scroll to the bottom then you can apply the changes now or schedule them to be applied later:

image

This has been tested with e1k/e3k radios on 4.6.2… but it should work with all of them. UPDATE! For some reason it seems as though it can cause some AP’s to reboot. I have not had this script reboot any SM’s yet.

3 Likes

Well I think I’ve figured it out.
I’ve applied it to a few devices and I think it’s doing what it’s supposed to be doing.
Here is the just:

{
  "device_props": {
    "networkBridgeDNSIPAddrPrimary": "8.8.8.8",
    "networkBridgeDNSIPAddrSecondary": "208.67.222.222",
    "networkLanDNSIPAddrPrimary": "8.8.8.8",
    "networkLanDNSIPAddrSecondary": "208.67.222.222",
    "cambiumSysAccountsTable": [
      {
        "cambiumSysAccountsName":    "admin",
        "cambiumSysAccountsHash":    "insert-hash-here",
        "cambiumSysAccountsUID":     "1000",
        "cambiumSysAccountsGID":     "4",
        "cambiumSysAccountsDir":     "\/tmp",
        "cambiumSysAccountsShell":   "\/usr\/bin\/clish"
      },
      {
        "cambiumSysAccountsName":    "installer",
        "cambiumSysAccountsHash":    "insert-hash-here",
        "cambiumSysAccountsUID":     "2000",
        "cambiumSysAccountsGID":     "100",
        "cambiumSysAccountsDir":     "\/tmp",
        "cambiumSysAccountsShell":   "\/bin\/false"
      },
      {
        "cambiumSysAccountsName":    "home",
        "cambiumSysAccountsHash":    "insert-hash-here",
        "cambiumSysAccountsUID":     "3000",
        "cambiumSysAccountsGID":     "100",
        "cambiumSysAccountsDir":     "\/tmp",
        "cambiumSysAccountsShell":   "\/bin\/false"
      },
      {
        "cambiumSysAccountsName":    "readonly",
        "cambiumSysAccountsHash":    "insert-hash-here",
        "cambiumSysAccountsUID":     "4000",
        "cambiumSysAccountsGID":     "100",
        "cambiumSysAccountsDir":     "\/tmp",
        "cambiumSysAccountsShell":   "\/bin\/false"
      }
    ]
  }
}

Looks like they also changed the network bridge DNS, so I updated that as well.
I tried to figure out how to disable all of the accounts except the admin, but don’t see anything that changes when I toggle the setting in the config. That would be my preference, but hopefully just changing the password for now will block the issue at hand.
Fingers crossed, hopefully this works.
Thanks,
Ryo

2 Likes

Oh, just saw your post Eric…
If that works for disabling the accounts I’ll try that also.
Thanks,
Ryo

So this is not actually a hack, but rather a default installer password allowing the settings on the SM to be changed? As basic rule I disable everything except admin login on my SM’s. If using cnPilot R-Series then change pass for useradmin and user to prevent users from being able to see network config on our side.

Re the template, I’d love to be able to just push an manual config change to devices. Setting up a template and sync’ing things is too much of a commitment for me now :joy:

NOTICE
Cambium Networks acknowledge persistence of the issue with unauthorized configuration changes. Primarily DNS settings are affected but other settings can be affected too.

Issue can be observed with all firmware versions.

Presumably the attack is performed via default user passwords and snmp communities.
Workaround: change all default passwords and snmp communities.

We are grateful for all your feedback! Investigation is in progress.

4 Likes

6 posts were split to a new topic: ePMP management interface accessible via public IP

Can someone can tell how to prevent this issue before it is too late? do we need to disable something o rchange something in each CPE?

All you need to do is what has been already mentioned.

1 Like

Hi Eric I have never activated SNMP or uses that option, do I need to still change something?

SNMP is enabled by default on ePMP and can’t be disabled. You’ll need to change the default SNMP communities to something different, ideally something randomized and difficult to guess for each radio. You’ll also need to ensure that any default accounts are disabled or again, change the default password.

1 Like

A post was merged into an existing topic: ePMP private management interface accessible via public IP

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.