Netonix Forums

THIS THREAD IS CLOSED AS v1.5.17 IS RELEASED - 11/14/2014

FIXED/CHANGED
- reduced attack surface on webserver - rc1
- upgrade failure on very old WS models. - rc1
- openssl upgraded - rc2
- lighttpd upgraded - rc2
- several packages patched for openssl upgrade -rc2
- frontend files now served with gzip'd encoding - rc2

ENHANCEMENTS

KNOWN ISSUES
- WEB UI issues when not at 100% Zoom on browser especially on VLAN TAB
- Some language templates need help

Released 8/9/2024

Further Information

This release (rc1) attempts to alleviate effects from an exploited security hole that has been taken advantage on our switch's. Details here: viewtopic.php?f=17&t=8066

Please bare with us as this may not entirely patch the hole, we are still working on continued enhancements that will prevent future abuse. However, based on the majority of reported effects from this issue. Namely, the FBI page, along with the increased CPU and memory usage on the switch causing packet loss - should be prevented with this release.

If you're suffering from this attack, please stay tuned here as more update's are planned as we continue to tighten our grip on the situation.

Also, feedback about your experience's with this version will help us continue the effort.

RC2 Upgrade

RC2 has an upgraded variant of openssl and lighttpd that should dramatically reduce the vulnerability of the switch. As it turns out, this version of openssl is much larger than the original and required many patches on different packages to make it all work. As a result, the frontend file's are now all served compressed, so you may need to clear the cache in your browser for the webui after upgrading. We also suggest that you bench test this version before upgrading switch's in the field just to be safe.
However, despite our effort's to make the switch as secure as possible. We suggest avoiding exposing the webui to the web at large either with Access Controls or by isolating your management vlan - if at all possible.

Installed on my very old Board rev B after getting jiggy with the commandline since obviously the "upgrade failure on very old WS models" fix only applies after it is installed. I had to get jiggy with it each time to go from .12 to .14 and .16 as well.
I assume going forward, rc2 will install without needing to get jiggy with it.

EDIT:
One thing I noticed is this also fixed where the SFP cage now shows correctly for port 24. I have a cable in the RJ45 port 24 and on .16 the SFP cage showed as green whereas now it shows empty with an X.

Yeah, going forward you shouldn't have to do any trick's to upgrade that model again.

For RC1, also note the index.html file can return but it is inert. As Stephen said this alleviates the symptoms and prevents THIS hack from running but not from being put there but if the file put there it will be ignored.

This release also will not prevent AVAST antivirus from refusing to load the login screen as we shill have not upgraded lighttpd far enough. AVAST is not detecting an infected site it simply refuses to talk to the current version of lightttpd as it has the vulnerability in it. You still have to either disable AVAST Web Scan under core or add the IP of the switch to the exception list.

We hope to have a better release soon that closes the vulnerability.

Stephen wrote: RC2 Upgrade

RC2 has an upgraded variant of openssl and lighttpd that should dramatically reduce the vulnerability of the switch. As it turns out, this version of openssl is much larger than the original and required many patches on different packages to make it all work. As a result, the frontend file's are now stored and compressed, so you may need to clear the cache in your browser for the webui after upgrading.

The page did not automatically reload after restarting so I opened it on a new tab and all was well. Also, Chrome no longer used the saved credentials and those needed to be manually re-entered.

EDIT: Also, the NTP time was correct on the status page but the last log entry was still showing Dec 31.

On initial boot up, it takes a bit for system time modification from ntp to be reflected in the logs. If you make a modification going forward. The logs should update to the correct time.
Here's a screenshot to show what I mean, I modified Port 3 just to show it updating the log with the correct time after ntp is set.

Stephen wrote:On initial boot up, it takes a bit for system time modification from ntp to be reflected in the logs. If you make a modification going forward. The logs should update to the correct time.

Yes, later when I updated a downstream switch, the port bounce in the log showed the correct date/time. On the older firmware, the end of the log file always showed the correct date/time. It was just an observation.

No problem with this firmware on a DC/IDC/AC units and a Rev B. board.

Is there a time frame to ship this as a final version?

Soon as we get some more "hey works fine" feedback will close rc and release v1.5.17

So hey people don't just speak up when broken let us know it's fine.

Loaded 1.5.17rc2 on a WS-8-150-AC Board Rev F in my test rig. This is the switch connected to my laptop and 7 other devices (which includes devices that communicate with each other providing a little traffic).

The MAC Table page in the web UI wasn't showing all of the MAC addresses that were shown when issuing a "show mac table" command in the web UI Device Console. At one point there were no addresses on the MAC Table page but were on the Console. Flushing and refreshing didn't change anything... and then the list on the MAC Table page magically started displaying again but still not matching the full list shown by the Console.

I rolled it back to 1.5.17rc1 and the MAC Table page and Console now show the same list consistently.