mjp66
commented
5 years ago Thanks, I also interpret that we do NOT have a vulnerability, and had drafted this up an evening or two ago:
- Ubnt Discovery Recently,the Ubnt Discovery service has shown up in an EdgeRouter Community posting: https://community.ubnt.com/t5/EdgeRouter/EdgeOS-responds-to-udp-10001-probes-even-if-service-ubnt/td-p/1886105 “The default WAN firewall policies added by the Basic Setup wizard will block all probes to UDP/TCP port 10001 and will prevent the EdgeRouter from being discoverable on the WAN.” Per https://help.ubnt.com/hc/en-us/articles/204976244 If you still want to disable this service, the following may help you: [UBNT-discover] - Add CLI command to disable "ubnt-discovery" daemon, thus ER will stop responding to discovery messages on 10001 UDP port. (set service ubnt-discover-server disable). Reference https://community.ubnt.com/t5/EdgeMAX-Updates-Blog/EdgeMAX-EdgeRouter-software-release-v1-10-0/ba-p/2233263 [Discovery] - UBNT discovery daemon can be configured to listen to TCP discovery requests (by default it listens to UDP only). This feature can be enbled with "set service ubnt-discover-server protocol tcp_udp" CLI command. https://community.ubnt.com/t5/EdgeMAX-Updates-Blog/EdgeMAX-EdgeRouter-software-release-v1-10-7/ba-p/2513718
Hi Mike - Thanks for all of your efforts in creating this guide. It has been very helpful and instructive. The Ubiquiti Device Discovery Service has been much in the news as of late as a potential vulnerability. According to the Ubiquiti posting regarding this service, they state that "The EdgeRouter will not be discoverable by WAN clients if firewall policies from the Basic Setup wizard are applied.". (https://help.ubnt.com/hc/en-us/articles/204976244-EdgeRouter-Ubiquiti-Device-Discovery). Am I correct in assuming that since we have applied the basic firewall policies on the WAN interface, that this is not a vulnerability concern for us. It is unclear from the news coverage that this is primarily a user misconfiguration issue. Perhaps adding some comments in the guide regarding this would be helpful. Thanks again for your time and efforts on this project.