Ubiquiti: UniFi 3.2.1 est sortie et màj de sécurité Unifi et AirVision

Unifi 3.2.1 est sorti http://community.ubnt.com/t5/UniFi-Updates-Blog/UniFi-3-2-1-is-released/ba-p/872360 et cela tombe bien car cela va permettre de corriger des vulnérabilités sur les versions 2.4.x Ubiquiti UbiFi / mFi / AirVision – CSRF Vulnerability http://www.exploit-db.com/exploits/34187/ + http://seclists.org/fulldisclosure/2014/Jul/126 CVE-2014-2226: Ubiquiti Networks – UniFi Controller Admin/root password hash sent via syslog :  http://seclists.org/fulldisclosure/2014/Jul/127 CVE-2014-2227: Ubiquiti Networks – AirVision v2.1.3 – Overly Permissive default crossdomain.xml :  http://seclists.org/fulldisclosure/2014/Jul/128 Il vous faut donc mettre à jour vers la version 3.2.1.

Ubiquiti: Mise à jour EdgeRouter

Depuis un peu plus d’un mois, Ubiquiti a mis à jour la version de l’OS de ses EdgeRouter Light (gamme EdgeMax).

La version actuelle est la 1.5.0 que l’on peut trouver ici  http://www.ubnt.com/download/#EdgeRouter:Lite

ER-e100.v1.5.0.4677648.tar

69MB • 2014-06-20

Si vous souhaitez lire la Release Note en détail, suivez ce lien : http://community.ubnt.com/t5/EdgeMAX-Updates-Blog/EdgeMax-software-release-v1-5-0/ba-p/888586
A noter que cette version intègre le PPPoE offload
[HW acceleration] Add support for PPPoE offload. Currently this is disabled by default

 

Mise à jour RouterOS v6.17

Mikrotik nous gratifie d’une nouvelle mise à jour de son RouterOS en version v6.17.

Celle-ci fixe uniquement un crash des CCR1009 mais comme j’ai un peu de retard dans le suivi des versions, je vous gratifie des ChangeLog des versions depuis mon dernier post :

 

What's new in 6.17 (2014-Jul-18 15:14):

*) CCR1009 - fixed crash, only affects CCR1009;

What's new in 6.16 (2014-Jul-17 13:12):

*) 802.11ac support added in wireless-fp package for QCA9880/9882 rev2 (-BR4A) chips;
*) ip cloud now allows to set which IP to use - detected (public) or local (private);
*) l2tp, pptp, pppoe - fixed possible packet corruption when encryption was enabled;
*) ovpn - fixed ethernet mode;
*) certificates - use SHA256 for fingerprinting;
*) ipsec - fix AH proposal and problem when sometimes policy was not generated;
*) snmp - support AES encryption (rfc3826);
*) l2tp server: added option to enable IPsec automatically;
*) poe-out: added power-cycle-ping and power-cycle-interval settings;
*) gps - increased retry duration to 30 seconds;
*) time - on routerboards, current time is saved in configuration on reboot
    and on clock adjustment, and is used to set initial time after reboot;
*) sntp - disabling/enabling client was causing dynamic-servers to be ignored
    (bug introduced in 6.14);
*) CCR - fixed rare file system corruption when none
   of configuration could be changed or some of it disappeared;
*) ipsec - allow multiple encryption algorithms per peer;
*) email - support tls only connections;
*) smb - fixed usb share issues after reboot
*) snmp - fix v3 protocol time window checks;
*) updated timezone information;
*) quickset - added VPN settings for HomeAP mode;
*) latency improvements on CCR devices;

What's new in 6.15 (2014-Jun-12 12:25):

*) fixed upgrade from v5 - on first boot all the optional packages were disabled;
*) fixed problem where sntp server could not be specified in winbox %26 webfig;
*) metarouter - make openwrt work on ppc metarouter again;

What's new in 6.14 (2014-Jun-06 15:34):

*) sntp - 'mode' now is a read-only property, it is set to broadcast if no
    server ip address is specified;
*) smb - fixed some SMB1 errors;
*) wireless-fp package is now included in routeros one (disabled by default);
*) webfig - fixed quickset, it didn't work with disabled wireless pacakge;
*) sstp - fixed problem where session was closed every 2min;
*) pptp,l2tp,pppoe - fixed problem where some of the static bindings
   become dynamic interfaces;
*) eoip - lowered default MTU to avoid IP packet fragmentation;
*) eoip - added clamp-tcp-mss setting with default=yes for new tunnels to avoid
   IP packet fragmentation;
*) fixed - bridge could sometimes get added without "running" flag;
*) fixed - simple queues could sometimes crash router;
*) fixed - simple queue stats freeze (empty winbox queue window);
*) ssh server - allow none cipher;
*) proxy - added 'anonymous' option which will skip adding X-* and Via headers;
*) dhcp server - added option use-framed-as-classless and
    added support for DHCP-Classless-Static-Route RADIUS attribute;
*) quickset - fixed problem where address mode selection did not work in
	bridge mode;
*) ipv6 address - fixed problem where changing advertise lost ipv6 connected route;

CAVEAT: CAPsMAN Layer3 doesn’t work if IPv6 package enabled either
	on CAPsMAN or CAP device;

 

Mise à jour RouterOS 6.13

Mikrotik nous gratifie d’une mise à jour en version 6.13 de RouterOS avec les évolutions et correctifs suivants :

What's new in 6.13 (2014-May-15 16:03):

*) console - comments are now accepted where new command can start, that is,
    where '/' or ':' characters can be used to start new command, e.g.
	/interface { # comment until the end of the line
	    print
	}
*) backup - backups by default are encrypted now (with user password).
   To use backup on older versions, you should disable encryption with dont-encrypt
   flag when creating it;
*) files with '.sensitive.' in the filename require 'sensitive'
    permission to manipulate;
*) lcd - reduce CPU usage when displaying static screens;
*) l2tp - fixed occasional server lockup;
*) pptp - fixed memory leak;
*) sstp - fixed crashes;

/!\ A noter que les backups sont désormais chiffrés avec le mot de passe de l’utilisateur.

[Ubiquiti] nouvelle gamme Unifi Video et nouvelles versions d’UniFi Video 3.0.2 / UVC 3.0.3 / airCam 3.0.3

A l’occasion de la sortie de sa nouvelle gamme de caméras vidéo UniFi Video, Ubiquiti nous gratifie d’une version « unifiée » du matériel [1] et de nouvelles versions des logiciels correspondants [2].

A noter le point suivant du second lien qui indique que la gamme airVision devient UniFi Video, et que airVision ne sera plus mise à jour.

Upgrade notes for airVision 2.x users

1. Use caution when upgrading from airVision, it is recommended to back up your data. UniFi Video installer will do its best to migrate your recordings and settings.

2. UniFi Video is not airVision – it aims to provide superior reliability for the surveillance system. This comes with tighter coupling of all cameras with the controller software, which means that there are no ways left to control cameras with third party software after the firmware upgrade to 3.0. Feature-wise, this translates to:

 

1. Use caution when upgrading from airVision, it is recommended to back up your data. UniFi V

  • Firmware 3.0 is designed specifically for UniFi Video
  • RTSP is not supported in 3.0 firmware (it might still be accessible on some models)
  • WebUI of the devices is reduced to provide only the basic functionality to hook your cameras to the controller

3. For Linux based deployments of UniFi Video, please note a new user and group ID is used. Please check to confirm ownership is set to « unifi-video:unifi-video » for any custom path to store video recordings. The previous « airvision:airvision » owner and group ID is no longer used and may cause a loss of recordings if ownership of custom path to videos is not updated.

4. airVision 2.x will EOL in a future release of UniFi Video. Please note that airVision 2.x will no longer be patched or improved until then.

 

[1] http://uv.ubnt.com/hardware.html#UnifiVideoCamera

[2] http://community.ubnt.com/t5/UniFi-Video-Blog/UniFi-Video-3-0-2-UVC-3-0-3-airCam-3-0-3-Release/ba-p/801836

Mise à jour RouterOS 6.12

La mise à jour v6.12 de RouterOS (Mikrotik) apporte les corrections suivantes (extrait du ChangeLog) :

What's new in 6.12 (2014-Apr-14 09:27):

*) l2tp - fixed "no buffer space available" problem;
*) ipsec - support IPv4 over IPv6 and vice versa;
*) pppoe - report correctly number of active links;
*) updated timezone information;
*) many fixes for CRS managed switch functionality -
   particularly improved VLAN support, port isolation, defaults;
*) added trunk support for CRS switches;
*) added policing support for CRS switches;
*) www - added support for HTTP byte ranges;
*) lte - provide signal strength using snmp and make 'info once' work in console;

EDIT: A noter pour le moment, pas de mise à jour suite à heartbleed.

 

Impossible de reset la configuration par defaut en ROS 6.3, RB bloqué en mode etherboot

Dans le cas où vous avez fait un reset hard en ROS6.3, votre RouterBoard se retrouve en mode Etherboot (bootp ou boot en réseau) ; classiquement vous essayez d’utiliser l’utilitaire netinstall (sous windows) mais malgré toutes vos tentatives, votre RB ne revient pas en configuration par défaut : impossible d’avoir un bail dhcp, et rien ne ping en 192.168.88.1.

Rassurez vous, votre RouterBoard n’est pas bricked, il s’agit d’un bug référencé chez Mikrotik : http://forum.mikrotik.com/viewtopic.php?f=2&t=76431

Vous avez la possibilité d’utiliser la version netinstall-6.2 afin de remettre un ROS6.2 ou d’utiliser les versions 6.4 de netinstall et ROS sortis entre temps.

Le matériel MikroTik est en vente sur notre site http://www.routerboard-fr.com/fr/ .