Orange Pi 5 Ubuntu Jammy Server vulnerability

bulgaru

Hello, everyone!

I wanted to let you know of a serious vulnerability when it comes to Ubuntu Jammy Server on OPi 5 (don't know if it applies to other models / OSes / builds).

The attack vector is currently unknown, but the penetration of the system is immediate with root access to the attacker.

Symptoms:

• presence of "tamkjll" file/folder in root directory
• presence of "data" folder directory in root directory, containing UFO.apk within
• folders named "arm", "x86", etc in the root directory
• loss of ssh access
• overheating CPU
  

Troubleshooting steps:

• changed the default root password - NO EFFECT
• disabled password ssh access - NO EFFECT
• exposed ssh with a different port - NO EFFECT
• closed all ports except 22, 80, 443, and a couple technical ones - SUCCESS
  

Preliminary conclusions:
It seems that the attacker expoits a zero-day vulnerability by attacking one of the exposed ports. After gaining root access, the attacker downloads malicious code that hijacks the device. Seems to be related to Mirai Botnet, according to my research. The Ububtu distro needs to be audited for exposed ports that allow the attacker gain root access. It seems to happen regardless of the root password currently used, which begs the question of how on earth the attacker is capable of running the code with sudo priviledges.

Steps to reproduce:

• install Ubuntu Server from OPi website
• change root password, disable ssh password access
• expose the device to the web
  

My main concern is that the distro provided via the OPi website is vulnerable out-of-the box. Given that it's a Server distro, it can create a sense of false security when it comes to using it with the devices exposed to the web. Moreover, there may be plenty of infected devices out there already, that are present in the attacker's database and they will be hijacked regardless if they reset and reinstall their system.

Any help would be very much welcome!