It's Bugtober, with Adobe Flash crashes, numerous CVE vulnerability patches for Wi-Fi and routers, and an Intel SPI vulnerability patch for most Xeon D Supermicro SuperServers

Posted by Paul Braren on Oct 24 2017 (updated on Dec 12 2017) in

Sometimes a home lab can be kept operational for months with minimal maintenance. This month, many things happened that required more immediate attention. Maybe this month should have been called Bugtober instead of Blogtober, and it ain't even over yet! None of these took terribly long to fix, but all are good to know about.

In order of first discovery, here's a summary of what I had to do, and what I will be doing soon. If you have some/all of the same gear, perhaps you should too! Back up your stuff first, of course.

Supermicro SuperServer Xeon D

Oct 06 2017 - Intel SPI vulnerability CVE-2017-05701

Only a concern for internal attacks, so please don't make too much of this, and it's not likely an issue at all for typical home labs, see securityfocus.com/bid/101257. On October 23rd, I received confirmation from Supermicro that this SPI vulnerability also affected Xeon D, not just the Intel NUC, which were patched with new BIOS releases back on Oct 6. Not a problem for Bundle 1/2/3 owners and most Xeon D SuperServer owners, with BIOS 1.2c already fixing this vulnerability, see also the release notes that are dated 09/19/2017, but the download spotted on Oct 19.

Note, there is one Supermicro SuperServer Xeon D system that hasn't been patched, the SYS-E300-8D with the X10SDV-TP8F Flex ATX motherboard and the SFP+ version of the Intel X552/X557 10GbE. Unfortunately, the last BIOS update for that system was released way back in August of 2016. In hindsight, I'm thankful that I choose not to help create a bundle of that model.

Details on the BIOS upgrade procedures just published:

Supermicro Xeon D SuperServer BIOS 1.2c / IPMI 3.58 released

VMware vSphere 6.5 Update 1

Oct 09 2017 - Monitor for rare PSODs for upgraded 10GbE servers

esxi-6-5-host-fails-psod — Andrea Mauro at vInfrastructure Blog

kb.vmware.com/kb/2151749

I've not received any reports of PSODs from Xeon D owners at all, and quite possible that this issue doesn't apply to the now very common Intel X552/x557 10GbE that's baked right into the Xeon D. The rare Xeon D and Xeon E PSOD explained in KB 2146388 that some NSX users encountered about a year ago quickly surfaced via comments right on my site, and was fixed with a BIOS update. With 6.5U1 out since July and no PSODs reported to date, I'm fairly confident this isn't a priority for me to worry about, but I'll keep an eye out anyway.

Ubiquiti EdgeRouter Lite

Oct 02 2017 - Several critical CVEs discovered

2083744 — On Oct 02, tbyehl reports dnsmasq vulnerabilities, "Google dropped 7 CVEs on dnsmasq today, three with remote code execution."

Ubiquiti has moved to a much faster release cycle with their firmware updates this year, largely decoupling major feature releases from more frequent security-update-only releases. This is good. I'm that much more relieved that I've left consumer routers behind at this point, annoyed by their planned obsolescence through inevitable firmware neglect.

Here's the fix that took Ubiquiti only 9 days to create, and only about 10 minutes to apply to my ERLite-3.

v1.9.7+hotfix 4

Direct Download
ER-e100.v1.9.7+hotfix.4.5024004.tar
Changelog

Upgrade dnsmasq to 2.78 to fix multiple security vulnerabilities (CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, CVE-2017-14495, CVE-2017-14496, CVE-2017-13704).
My upgrade of my ERLite-3 on Oct 24 was uneventful, using the same procedure demonstrated on video here. This update requires a router reboot, which interrupted internet access for my entire home's network for less than 5 minutes.

FYI, pfSense got their KRACK-patching 2.4.1 Release out on October 24th.

VMware vSphere Web Client

Oct 14 2017 - Adobe Flash Crashes discovered

After our Twitter conversation, William got this one documented very quickly:

“Shockwave Flash has crashed” workaround for vSphere Web (Flash) Client
Oct 15 2017 by William Lam at virtuallyGhetto

As for me, I'm not comfortable with back-leveling to vulnerable Flash versions, so I went ahead and fired up a fresh Windows 10 Version 1709 VM from my home lab's ready-to-roll template. I then installed 64 bit Chrome, then the beta Flash from here. This got me going again, and will help me get by until a proper Adobe Flash gets auto updated right in my Chrome, at which point all my handy "appified" Chrome vSphere shortcuts will simply resume working, with no more futzing around required. That's my hope anyway.

Oct 25 2017 Update - Fixed! Details below.

KRACK

Oct 16 2017 - Wi-Fi WPA2 vulnerability disclosed

Windows

The fixes were uneventful and pretty fast. Microsoft fixed all modern Windows versions a week before we even knew about KRACK. The "client" OS is where this Wi-Fi vulnerability is biggest. The fix came down via the usual automatic Windows Updates mechanism.

macOS

Some details in this Apple forum thread.

eero Wi-Fi

Next up Fixed on my home's eero Wi-Fi very easily, with a beta immediately made available, and the GA level code available to manually pull arriving within a couple of days. Easy.

iOS 11.1

Fixes in iOS 11.1 are available now in beta, and in GA form later this week.

Android

Some devices getting patches in early November, but according to The Verge:

Google has promised to deploy an Android patch in the coming weeks, but it may be some time before that patch will reach non-Pixel devices. Even if your router isn’t patched, patching the device should be enough to stop an attacker from getting in the middle.

EdgeRouter-and-eero-TinkerTry — EdgeRouter doing DHCP/DNS/Routing, eero only doing Wi-Fi using bridge mode, click to read article.

Oct 25 2017 Update

vSphere-Web-Client-broken-Flash-at-TinkerTry — Adobe Flash .170 doesn't like vSphere Web Client

Today, Chrome automatically updated to Flash update 27.0.0.183, which seemed to resolve this issue documented in VMware KB 2151945:

Shockwave Flash crashes with vSphere Web Client and vCloud Director (2151945)

where a system wide standalone Flash install of 27.0.0.183 or later is recommended. But what if you only use Chrome for vSphere sysadmin, don't care to enable Flash in other browsers, and don't wish to clutter Windows up with yet another auto-updater in Task Scheduler?

For most of my Windows 10 systems, no further action was required. The VMware vSphere Web Client suddenly just worked again, since the automatic Chrome updates had taken care of this Flash update to .183 too. But there was one system where I had to manually give its Chrome a gentle kick to do its component updating.

What about those auto-updaters in Task Scheduler? That won't work, since that's NPAPI, but it's your PPAPI that needs updating. Don't worry, updating your PPAPI is easy and doesn't hurt. This simple fix isn't a hack that could adversely affect other apps or system, it just updates Chrome's Flash. Here's the exact steps I followed:

Check-for-update-to-Adobe-Flash-Player-version-183-TinkerTry

Fix for vSphere Web Client

Open a new Chrome tab.
Copy-and-paste this special URL into the new Chrome tab:
```
chrome://components
```
Look for
Adobe Flash Player - Version 27.0.0.170
and click on the button labeled
Check for update
A few seconds later, it should say Version 27.0.0.183 (or later), and
Component updated
On your crashed vSphere Web Client window (sample screenshot above), click on Reload and tada, it works like it should (sample screenshot below), no Chrome restart required. Nice!

Sources - How to force Flash updates in Chrome by Martin Brinkmann at ghacks.net and “Shockwave Flash has crashed” workaround for vSphere Web (Flash) Client by William Lam at virtuallyGhetto.

Don't forget, this fragile reliance on Flash is going away, see:

Goodbye, vSphere Web Client!
Aug 25 2017 by Martin Yip at VMware vSphere Blog

Customers should start transitioning over to the vSphere Client if they have not already done so as the vSphere Web Client will no longer be available after the next vSphere release.

vSphere-Web-Client-fixed-Flash-at-TinkerTry — Adobe Flash .183 likes vSphere Client

Oct 26 2017 Update

Seeing eero's quick reaction to KRACK has been very reassuring. I can recall originally being somewhat skeptical about cloud management of my Wi-Fi’s firmware version. Over time, it's become apparent that eero’s management of firmware has some big advantages over relying on owners to have to do something, especially when they are critical, like the patch for KRACK.

Here's a bit of the behind-the-scenes by eero:

Move fast, break nothing
POSTED ON OCTOBER 25, 2017
How we protected 100% of our customers in less than a week
Oct 25 2017

On October 16th, cyber security researchers publicly disclosed a vulnerability named KRACK in the WPA2 security protocol, which encrypts all traffic between modern WiFi access points and client devices. That same day, eero’s internal security and engineering teams rolled a fix out to our beta customers. A day later, we began rolling out the security patch to all customers. As of October 22nd, less than a week after the KRACK disclosure, 100% of eeros had been updated to protect against the security vulnerability. That’s faster than most companies even released a patch, let alone actually updated their products. In fact, all eero networks were updated before some companies even acknowledged the vulnerability at all.

Oct 31 2017 Update

October wasn't done yet! Reaper: IoT botnet 'worse than Mirai' infects one million organisations worldwide was the gist of many headlines, but maybe you didn't see these two additional articles:

A New IoT Botnet Storm is Coming
Oct 19 2017 at Check Point Research
Key Points:
- A massive Botnet is forming to create a cyber-storm that could take down the internet.
- An estimated million organizations have already been scanned with an unknown amount actually infected.
- The Botnet is recruiting IoT devices such as IP Wireless Cameras to carry out the attack.
New cyber-storm clouds are gathering. Check Point Researchers have discovered a brand new Botnet, dubbed ‘IoTroop’, evolving and recruiting IoT devices at a far greater pace and with more potential damage than the Mirai botnet of 2016.

IoTroop Botnet: The Full Investigation
Oct 29 2017 by Check Point Research

Last week, thanks to the Check Point web sensor network, our researchers discovered a new and massive IoT Botnet, ‘IoTroop’. Due to the urgency of this discovery, we quickly published our initial findings in order to alert the cyber security community. Since then, we have had time to digest and dissect the propagating malware and share our findings with you.

Patrick Norton discusses Reaper IoT botnet at this spot in this recent podcast episode, as well as the first Check Point Research article above:
This Week in Computer Hardware (MP3): 438: AMD Ryzen Laptops and the 1070 Ti

Nov 18 2017 Update

VMware-KB2151749-PSOD-example-Intel-Xeon-D-1541-with-Intel-X552-X557-10GbE-cropped-2017-11-17--TinkerTry — VMware KB 2146388 PSOD example from Intel Xeon D 1541 with Intel X552/X557 10GbE networking active.

Remember above, where I wondered aloud if the Xeon D's embedded Intel X552/X557 10GbE might be affected by the PSOD warnings in kb.vmware.com/kb/2151749, optimistically hoping lack of any reports meant we might not need to worry? Well, that question got answered for me last night, as I kicked off a Windows Update on a Windows 10 1709 VM on my Intel Optane 900P's VMFS file system, and headed to bed, noticing it seemed a little slow. In the morning, noticed the ESXi server itself didn't respond to ping, so it was time to fire up Supermicro's embedded iKVM functionality to have a look see at the local console.

Dec 12 2017 Update

I removed the notion that my recent PSODs might be related to KB 2151749, instead it might be related to older KB 2146388, or NVMe drivers, see Dec 12 2017 Update here.