Zero-Day on cnPilot report (AIRASHI Botnet / DDoS)

Greivin_Montero · January 25, 2025, 12:44am

Hi,

What models are afected? Is the cnMaestro affected too? What are the official reccomendations to check and prevent this?

Explotación de Vulnerabilidad Zero-Day en Routers cnPilot para desplegar el Botnet AIRASHI de DDoS

KumarK · January 25, 2025, 1:04am

Please refer to this page for security updates:

maxwire · January 28, 2025, 8:37pm

does the recomendation to update firmare patch this vulnerability? the document is unclear, it seems more like the current only solution is to disable remote access

TrevorM · January 28, 2025, 9:43pm

You’re correct. The recommendation is to disable access to the UI over the Internet.

Springs · February 5, 2025, 2:11pm

You mean access to the webserver on the APs, right?

TrevorM · February 5, 2025, 9:02pm

Yes, disable the ‘Remote web access’ setting.

maxwire · February 17, 2025, 3:03pm

is restrict by IP non functioning again?

maxwire · March 4, 2025, 4:32pm

Can we get clarification on this? We have ACL listed on ours. We assume that we are impacted, disabling remote access is not really a management option for us, and the ACL should eliminate this issue all together.
We have been seeing issues where customers complain about performance issues, our NMS shows the devices online, but they are no longer connected to CNMaestro
Out workaround is to log in, manually update the firmware, which restores CnMaestro access, we then push our template back out for good measure.

What specifically are they doing in these routers? or is this not a smptom of the exploit?

We currently have something like 180 190/195s showing offline in maestro and the test batch all required this resolution.

maxwire · March 24, 2025, 4:14am

any update on this?
We are still seeing some suspect behavior
Routers go offline in cnmaestro
When we get into them the ntp has not updated so the maestro certificate fails
forcing an ntp update allows them to connect to cnmaestro

Is there a patch?

Disabling remote access really isnt an option if we lose access to the devices by maestro, completely defeats the purpose of using cambium routers

Are the ACLs not working?

How are they bypassing the ACLs, is there a workaround that doesnt involve disabling remote access?

Note this is 2 months later

Robert_Saunders · April 1, 2025, 8:17pm

we have this applied and it seems to have fixed the exploits we were seeing. we had missed the snmp disable flag and that allowed for takeover to occur. I don’t know if it was the same exploit but that was where ours was at.

BasicPass=[your encrypted loginpass]
BasicUser=User
DBID_LAN_LOGIN_ONLY=0
DBID_NORMAL_WEB_PASSWORD=[your encrypted pass]
DBID_SUPER_WEB_PASSWORD=[your encrypted pass]
NormalUser=Normal
SNMPEnable=0
SNMPGetCommunity=[your encrypted snmp string]
SNMPPlatformComp=0
SNMPSetCommunity=[your encrypted snmp string for write]
SNMPTrapCommunity=DNU
TZ=your time zone
WebRemoteLegalIP=your allowed IP list
mwanConnectionMode=DHCP
SSH_SERVER_LOCAL_ENABLE=0
AutoChannelSelect=1
RTDEV_AutoChannelSelect=1

maxwire · April 9, 2025, 6:17pm

im pretty irritated that Cambium is being sly about this. It seems that having an ACL does not do anything and that having snmp disabled does not do anything if the community stings are still default