At the risk of exposing myself to yet another proper telling off Id like to share the following.
I got hit with the original FBI page on a single device. at the time it was on V .12 and unknown to me the management interface was exposed via a tenuous 443 port forward on a legacy router. it took me a while to locate the route for the exploit, in the mean time,
I took the upgrade path to .16 and then last week swapped the hardware to a new device with RC2 installed on the same internal net IP. I ignored the good advice to setup an access control list as I felt this would make management problematic in certain circumstances (yes, I was wrong)
3 days ago the new device became 'problematic' with the previous 'issues' fingerprints, i.e. ping drops, poor client performance at high loads, high CPU reported in the Status screen, sluggish GUI, internal processes restarting in the log, warm boot being reported. I thought it may be just a process failing with RC2 so tried to reboot via the GUI but the switch would not restart despite several attempts. I took the plunge and reinstalled the RC2 upgrade as I knew this would initiate a restart and although it took over an hour to complete it did get there in the end, the upgrade restart took place and all became good.
This morning, while checking the specific switch I see high CPU, log entries etc again, get cheesed off and implement access control from the management PC only. the log entries stop at that point but the high CPU remains. running a 'top' via putty I see one process that restarts every 3 mins or so mopping up 75% of the CPU. I then go on an evangelist trail to locate the source of the external route and remove the reckless entry closing the port forward hole to the switch GUI via 443.
[The switch is bumping along ATM but after businesses close this evening Im going to re-run the RC2 upgrade again to flush the switch. This time I'm hoping it will stay that way.] EDIT: I re-ran the RC2 upgrade, it completed normally & in a reasonable timeframe, the switch seems to be stable
The observations I would like to put forward are
1) If exposed, the 'exploit' or a development of it appears to be still operational despite RC2, although it seems to work slightly differently (mebbe RC2 blocks some its mal-action)
2) you should not expose the GUI interface to the Internet in any way at any time. ( yes, I know...)
3) you should implement IP address access control on the switch as an immediate safeguard (the switch will even suggest the IP of the current station making it easy)
let the beatings begin...