Netonix Exploit?

DOWNLOAD THE LATEST FIRMWARE HERE
User avatar
mhoppes
Associate
Associate
 
Posts: 664
Joined: Thu Apr 10, 2014 9:14 pm
Location: Pennsylvania
Has thanked: 10 times
Been thanked: 125 times

Netonix Exploit?

Tue Sep 10, 2019 9:14 am

Are there any known Exploits on Netonix?

I just logged into one and found these processes running:

2875 admin 196 R ./Demon.mpsl
3294 admin 196 S ./Demon.mpsl
3379 admin 196 S ./badbox
4038 admin 188 S ./loligang.mpsl
4039 admin 188 S ./loligang.mpsl
4041 admin 472 R ./loligang.mpsl
4043 admin 472 R ./loligang.mpsl

User avatar
rockhead
Experienced Member
 
Posts: 119
Joined: Mon Aug 04, 2014 7:09 pm
Has thanked: 53 times
Been thanked: 35 times

Re: Netonix Exploit?

Tue Sep 10, 2019 10:07 am

What firmware version ?

User avatar
mhoppes
Associate
Associate
 
Posts: 664
Joined: Thu Apr 10, 2014 9:14 pm
Location: Pennsylvania
Has thanked: 10 times
Been thanked: 125 times

Re: Netonix Exploit?

Tue Sep 10, 2019 10:54 am

1.5.0

User avatar
mhoppes
Associate
Associate
 
Posts: 664
Joined: Thu Apr 10, 2014 9:14 pm
Location: Pennsylvania
Has thanked: 10 times
Been thanked: 125 times

Re: Netonix Exploit?

Tue Sep 10, 2019 9:06 pm

Do files loaded into the file system through scp survive reboot? Would be nice to get a reply to this considering the security implications. I found these processes sending about 20 megabits of traffic to Russia.

User avatar
sirhc
Employee
Employee
 
Posts: 7416
Joined: Tue Apr 08, 2014 3:48 pm
Location: Lancaster, PA
Has thanked: 1608 times
Been thanked: 1325 times

Re: Netonix Exploit?

Tue Sep 10, 2019 9:23 pm

Not aware of any current security holes, last hole was a vulnerability in the web service we use but was patched, but:

Your using v1.5.0 which is 15 months old, we are on v1.5.4 or v1.5.5rcX

Also I would never have my switches on a public IP and if I did for some strange reason I would use the access control list, that is what the access control list is for.

https://forum.netonix.com/viewtopic.php?f=17&t=5610&p=30090&hilit=+firmware+security#p30090

No one else has reported a hack as of yet, I can ask Stephen and Eric to check if there is new hack for any of the services like web or SSH as they are open source packages we do not write them.

But as I said I would never put infrastructure on a routable IP and if I had to I would use the Access Control list to lock it down and that was improved in I think v1.5.1 - Fixed UI bug in Access Control List
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.

User avatar
sirhc
Employee
Employee
 
Posts: 7416
Joined: Tue Apr 08, 2014 3:48 pm
Location: Lancaster, PA
Has thanked: 1608 times
Been thanked: 1325 times

Re: Netonix Exploit?

Tue Sep 10, 2019 9:36 pm

mhoppes wrote:Do files loaded into the file system through scp survive reboot? Would be nice to get a reply to this considering the security implications. I found these processes sending about 20 megabits of traffic to Russia.


To clear uploaded scripts you need to factory default it.

Why is your switch even routable to the world?
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.

User avatar
mhoppes
Associate
Associate
 
Posts: 664
Joined: Thu Apr 10, 2014 9:14 pm
Location: Pennsylvania
Has thanked: 10 times
Been thanked: 125 times

Re: Netonix Exploit?

Tue Sep 10, 2019 10:06 pm

So I take that back. It’s on 1.5.4.

It’s a special case - not my network.

Working slowly on getting things squared away. But yes, it’s on a public IP with a complex password.

User avatar
sirhc
Employee
Employee
 
Posts: 7416
Joined: Tue Apr 08, 2014 3:48 pm
Location: Lancaster, PA
Has thanked: 1608 times
Been thanked: 1325 times

Re: Netonix Exploit?

Wed Sep 11, 2019 8:25 am

mhoppes wrote:So I take that back. It’s on 1.5.4.

It’s a special case - not my network.

Working slowly on getting things squared away. But yes, it’s on a public IP with a complex password.


So if it is behind a NAT with a port mapping then you need to setup an access list on the router as the switch Access Control list will always see the NAT router as the source IP.

If it has a valid direct rout-able IP address you can simply use the built in Access Control List.

The programmers are coming up here for a week soon so I will have them look for any patches to any open source packages we uses like web and SSH and have them compiled in the next release.
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.

User avatar
mhoppes
Associate
Associate
 
Posts: 664
Joined: Thu Apr 10, 2014 9:14 pm
Location: Pennsylvania
Has thanked: 10 times
Been thanked: 125 times

Re: Netonix Exploit?

Wed Sep 11, 2019 8:34 am

I understand about the access list -- but that doesn't change the fact that I found rouge code on this unit.

User avatar
sirhc
Employee
Employee
 
Posts: 7416
Joined: Tue Apr 08, 2014 3:48 pm
Location: Lancaster, PA
Has thanked: 1608 times
Been thanked: 1325 times

Re: Netonix Exploit?

Wed Sep 11, 2019 10:30 am

mhoppes wrote:I understand about the access list -- but that doesn't change the fact that I found rouge code on this unit.


Matt at this point we have no idea if this is an exploit or not.

I told you how to clear the scripts (factory default unit - may need to do power on factory default) and that you should apply an access control list to prevent future hacks, which is the best I can do for now.

What is known:
- So far you are the first and only one to report this since the last exploit was patched.

- You have the unit accessible from the web without an access control list which is a big no no in my opinion for WISP's but still we should always try to make sure they are as secure as possible.

Possibilities:
- They hacked your password.
- One of your computers that access the switch has malware that gave them the IP and password of your switch.
- Their is another exploit to one of the modules we use such as the web service or SSH.

We have said we will look for any known exploits to the services we use in the firmware and if there is and there is a new patch we will release a new code with the new modules compiled in as soon as possible like last time.

So in the past year I have seen security exploits to UBNT gear and Cisco, it happens. The best a manufacturer can do is patch them when they are discovered and reported. UBNT and Cisco are BILLION dollar companies and it happens to them. As well as banks, Amazon, and so on. Are we supposed to be better and never have exploits? Not to mention at this point we are not sure what happened, or if it is an exploit to a package we did not write but simply use in our firmware build.


What would you like us to do that is differnt than I said we would do?
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.

Next
Return to Hardware and software issues

Who is online

Users browsing this forum: No registered users and 41 guests