It's Bugtober, with Adobe Flash crashes, numerous CVE vulnerability patches for Wi-Fi and routers, and an Intel SPI vulnerability patch for most Xeon D Supermicro SuperServers

Posted by Paul Braren on Oct 24 2017 (updated on Nov 18 2017) in
  • Networking
  • Productivity
  • Virtualization
  • Windows
  • Sometimes a home lab can be kept operational for months with minimal maintenance. This month, many things happened that required more immediate attention. Maybe this month should have been called Bugtober instead of Blogtober, and it ain't even over yet! None of these took terribly long to fix, but all are good to know about.

    In order of first discovery, here's a summary of what I had to do, and what I will be doing soon. If you have some/all of the same gear, perhaps you should too! Back up your stuff first, of course.

    Supermicro SuperServer Xeon D

    Oct 06 2017 - Intel SPI vulnerability CVE-2017-05701

    101257

    Only a concern for internal attacks, so please don't make too much of this, and it's not likely an issue at all for typical home labs, see securityfocus.com/bid/101257. On October 23rd, I received confirmation from Supermicro that this SPI vulnerability also affected Xeon D, not just the Intel NUC, which were patched with new BIOS releases back on Oct 6. Not a problem for Bundle 1/2/3 owners and most Xeon D SuperServer owners, with BIOS 1.2c already fixing this vulnerability, see also the release notes that are dated 09/19/2017, but the download spotted on Oct 19.

    Note, there is one Supermicro SuperServer Xeon D system that hasn't been patched, the SYS-E300-8D with the X10SDV-TP8F Flex ATX motherboard and the SFP+ version of the Intel X552/X557 10GbE. Unfortunately, the last BIOS update for that system was released way back in August of 2016. In hindsight, I'm thankful that I choose not to help create a bundle of that model.

    Details on the BIOS upgrade procedures just published:

    VMware vSphere 6.5 Update 1

    Oct 09 2017 - Monitor for rare PSODs for upgraded 10GbE servers

    esxi-6-5-host-fails-psod
    Andrea Mauro at vInfrastructure Blog

    I've not received any reports of PSODs from Xeon D owners at all, and quite possible that this issue doesn't apply to the now very common Intel X552/x557 10GbE that's baked right into the Xeon D. The rare Xeon D and Xeon E PSOD explained in KB 2146388 that some NSX users encountered about a year ago quickly surfaced via comments right on my site, and was fixed with a BIOS update. With 6.5U1 out since July and no PSODs reported to date, I'm fairly confident this isn't a priority for me to worry about, but I'll keep an eye out anyway.

    Ubiquiti EdgeRouter Lite

    Oct 02 2017 - Several critical CVEs discovered

    2083744
    On Oct 02, tbyehl reports dnsmasq vulnerabilities, "Google dropped 7 CVEs on dnsmasq today, three with remote code execution."

    Ubiquiti has moved to a much faster release cycle with their firmware updates this year, largely decoupling major feature releases from more frequent security-update-only releases. This is good. I'm that much more relieved that I've left consumer routers behind at this point, annoyed by their planned obsolescence through inevitable firmware neglect.

    Here's the fix that took Ubiquiti only 9 days to create, and only about 10 minutes to apply to my ERLite-3.

    v1.9.7+hotfix 4

    • Direct Download
      ER-e100.v1.9.7+hotfix.4.5024004.tar
    • Changelog

      Upgrade dnsmasq to 2.78 to fix multiple security vulnerabilities (CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, CVE-2017-14495, CVE-2017-14496, CVE-2017-13704).
      My upgrade of my ERLite-3 on Oct 24 was uneventful, using the same procedure demonstrated on video here. This update requires a router reboot, which interrupted internet access for my entire home's network for less than 5 minutes.

    FYI, pfSense got their KRACK-patching 2.4.1 Release out on October 24th.

    VMware vSphere Web Client

    Oct 14 2017 - Adobe Flash Crashes discovered

    919364528663490560-long

    After our Twitter conversation, William got this one documented very quickly:

    As for me, I'm not comfortable with back-leveling to vulnerable Flash versions, so I went ahead and fired up a fresh Windows 10 Version 1709 VM from my home lab's ready-to-roll template. I then installed 64 bit Chrome, then the beta Flash from here. This got me going again, and will help me get by until a proper Adobe Flash gets auto updated right in my Chrome, at which point all my handy "appified" Chrome vSphere shortcuts will simply resume working, with no more futzing around required. That's my hope anyway.

    Oct 25 2017 Update - Fixed! Details below.

    KRACK

    Oct 16 2017 - Wi-Fi WPA2 vulnerability disclosed

    microsoft-already-published-a-krack-fix-apple-and-google-are-working-on-it-excerpt

    Windows

    The fixes were uneventful and pretty fast. Microsoft fixed all modern Windows versions a week before we even knew about KRACK. The "client" OS is where this Wi-Fi vulnerability is biggest. The fix came down via the usual automatic Windows Updates mechanism.

    macOS

    Some details in this Apple forum thread.

    eero Wi-Fi

    Next up Fixed on my home's eero Wi-Fi very easily, with a beta immediately made available, and the GA level code available to manually pull arriving within a couple of days. Easy.

    iOS 11.1

    Fixes in iOS 11.1 are available now in beta, and in GA form later this week.

    Android

    Some devices getting patches in early November, but according to The Verge:

    Google has promised to deploy an Android patch in the coming weeks, but it may be some time before that patch will reach non-Pixel devices. Even if your router isn’t patched, patching the device should be enough to stop an attacker from getting in the middle.

    EdgeRouter-and-eero-TinkerTry
    EdgeRouter doing DHCP/DNS/Routing, eero only doing Wi-Fi using bridge mode, click to read article.

    Oct 25 2017 Update

    vSphere-Web-Client-broken-Flash-at-TinkerTry
    Adobe Flash .170 doesn't like vSphere Web Client

    Today, Chrome automatically updated to Flash update 27.0.0.183, which seemed to resolve this issue documented in VMware KB 2151945:

    where a system wide standalone Flash install of 27.0.0.183 or later is recommended. But what if you only use Chrome for vSphere sysadmin, don't care to enable Flash in other browsers, and don't wish to clutter Windows up with yet another auto-updater in Task Scheduler?

    For most of my Windows 10 systems, no further action was required. The VMware vSphere Web Client suddenly just worked again, since the automatic Chrome updates had taken care of this Flash update to .183 too. But there was one system where I had to manually give its Chrome a gentle kick to do its component updating.

    What about those auto-updaters in Task Scheduler? That won't work, since that's NPAPI, but it's your PPAPI that needs updating. Don't worry, updating your PPAPI is easy and doesn't hurt. This simple fix isn't a hack that could adversely affect other apps or system, it just updates Chrome's Flash. Here's the exact steps I followed:

    Check-for-update-to-Adobe-Flash-Player-version-183-TinkerTry

    Fix for vSphere Web Client

    1. Open a new Chrome tab.
    2. Copy-and-paste this special URL into the new Chrome tab:
      chrome://components
    3. Look for
      Adobe Flash Player - Version 27.0.0.170
      and click on the button labeled
      Check for update
    4. A few seconds later, it should say Version 27.0.0.183 (or later), and
      Component updated
    5. On your crashed vSphere Web Client window (sample screenshot above), click on Reload and tada, it works like it should (sample screenshot below), no Chrome restart required. Nice!

    Sources - How to force Flash updates in Chrome by Martin Brinkmann at ghacks.net and “Shockwave Flash has crashed” workaround for vSphere Web (Flash) Client by William Lam at virtuallyGhetto.

    Don't forget, this fragile reliance on Flash is going away, see:

    • Goodbye, vSphere Web Client!
      Aug 25 2017 by Martin Yip at VMware vSphere Blog

      Customers should start transitioning over to the vSphere Client if they have not already done so as the vSphere Web Client will no longer be available after the next vSphere release.

    vSphere-Web-Client-fixed-Flash-at-TinkerTry
    Adobe Flash .183 likes vSphere Client

    Oct 26 2017 Update

    Seeing eero's quick reaction to KRACK has been very reassuring. I can recall originally being somewhat skeptical about cloud management of my Wi-Fi’s firmware version. Over time, it's become apparent that eero’s management of firmware has some big advantages over relying on owners to have to do something, especially when they are critical, like the patch for KRACK.

    Here's a bit of the behind-the-scenes by eero:

    eero-designed-to-be-reliable
    • Move fast, break nothing
      POSTED ON OCTOBER 25, 2017
      How we protected 100% of our customers in less than a week

      Oct 25 2017

      On October 16th, cyber security researchers publicly disclosed a vulnerability named KRACK in the WPA2 security protocol, which encrypts all traffic between modern WiFi access points and client devices. That same day, eero’s internal security and engineering teams rolled a fix out to our beta customers. A day later, we began rolling out the security patch to all customers. As of October 22nd, less than a week after the KRACK disclosure, 100% of eeros had been updated to protect against the security vulnerability. That’s faster than most companies even released a patch, let alone actually updated their products. In fact, all eero networks were updated before some companies even acknowledged the vulnerability at all.

    923594932618539008

    Oct 31 2017 Update

    October wasn't done yet! Reaper: IoT botnet 'worse than Mirai' infects one million organisations worldwide was the gist of many headlines, but maybe you didn't see these two additional articles:

    new-iot-botnet-storm-coming
    • A New IoT Botnet Storm is Coming
      Oct 19 2017 at Check Point Research

      Key Points:

      • A massive Botnet is forming to create a cyber-storm that could take down the internet.
      • An estimated million organizations have already been scanned with an unknown amount actually infected.
      • The Botnet is recruiting IoT devices such as IP Wireless Cameras to carry out the attack.

      New cyber-storm clouds are gathering. Check Point Researchers have discovered a brand new Botnet, dubbed ‘IoTroop’, evolving and recruiting IoT devices at a far greater pace and with more potential damage than the Mirai botnet of 2016.

    iotroop-botnet-full-investigation
    • IoTroop Botnet: The Full Investigation
      Oct 29 2017 by Check Point Research

      Last week, thanks to the Check Point web sensor network, our researchers discovered a new and massive IoT Botnet, ‘IoTroop’. Due to the urgency of this discovery, we quickly published our initial findings in order to alert the cyber security community. Since then, we have had time to digest and dissect the propagating malware and share our findings with you.

    IfnOsDUM-cropped.PNG

    Patrick Norton discusses Reaper IoT botnet at this spot in this recent podcast episode, as well as the first Check Point Research article above:
    This Week in Computer Hardware (MP3): 438: AMD Ryzen Laptops and the 1070 Ti


    Nov 18 2017 Update

    Remember above, where I wondered aloud if the Xeon D's embedded Intel X552/X557 10GbE might be affected by the PSOD warnings in kb.vmware.com/kb/2151749, optimistically hoping lack of any reports meant we might not need to worry? Well, that question got answered for me last night, as I kicked off a Windows Update on a Windows 10 1709 VM on my Intel Optane 900P's VMFS file system, and headed to bed, noticing it seemed a little slow. In the morning, noticed the ESXi server itself didn't respond to ping, so it was time to fire up Supermicro's embedded iKVM functionality to have a look see at the local console.

    Well, wonder no more, my little Xeon D-1541 was clearly telling me that yes, the Intel X552/X557 10GbE user can be affected by this PSOD, even if you're not heavily hitting the network! This is both annoying and even a bit embarrassing. I work at VMware as a customer facing vSAN System Engineer, not a part of the group that works on ESXi itself. But I've reported this incident internally, and hope a proper ESXi fix in the form of a patch arrives soon.

    Meanwhile, the KB article does have a workaround, which I will be using myself for now. This does put a wrinkle in my plans to test from my Optane 900P to a loaner Optane 900P that just arrived, using 10GbE between them.

    VMware-KB2151749-PSOD-example-Intel-Xeon-D-1541-with-Intel-X552-X557-10GbE-cropped-2017-11-17--TinkerTry
    VMware KB 2151749 PSOD example from Intel Xeon D 1541 with Intel X552/X557 10GbE networking active.

    See also at TinkerTry

    edge-router-lite-update

    how-to-get-rid-of-vsphere-browser-certificate-warnings-in-windows

    appify-your-vmware-vsphere-related-web-uis-using-chrome-for-windows

    replaced-linksys-with-eero-after-also-testing-luma

    See also

    • CVE-2017-13080 | Windows Wireless WPA Group Key Reinstallation Vulnerability
      Oct 16 2017 by Microsoft

      A spoofing vulnerability exists in the Windows implementation of wireless networking. An attacker who successfully exploited this vulnerability could potentially replay broadcast and/or multicast traffic to hosts on a WPA or WPA 2-protected wireless network.
      Multiple conditions would need to be met in order for an attacker to exploit the vulnerability – the attacker would need to be within the physical proximity of the targeted user, and the user's computer would need to have wireless networking enabled. The attacker would then need to execute a man-in-the-middle (MitM) attack to intercept traffic between the target computer and wireless access point.
      The security update addresses the vulnerability by changing how Windows verifies wireless group key handshakes.

    EdgeMAX - Upgrade Firmware via Web GUI