v2.0.7 Bug Reports and Comments - WS3 Firmware

[Stephen]

FIXED/CHANGED
- Connection with netonix manager works with manager version 1.0.18 or greater

ENHANCEMENTS

KNOWN ISSUES
- WEB UI issues when not at 100% Zoom on browser especially on VLAN TAB
- Some language templates need help - please private message Stephen Copeland to help

Released 10/1/2021

[mayheart]

Even with a device name set under configuration, SNMP still responds with "netonix_switch" from the sysName OID.

[Garnet]

Well this ones a security risk, details:

Switch Model: WS3-14-600-AC
Firmware Version: 2.0.7
Issue: Switch does not require credentials to access web interface and change settings.

Steps to Reproduce:
1. Open a new browser (preferably a private/incognito window to rule out cookies)
2. Navigate to https://WS3_SWITCH_IP/main.html
3. Switch will load the web interface and allow configuration changes
4. Note that going to https://WS3_SWITCH_IP will still ask for credentials

Expected Behaviour: WS3 will redirect browser to login page (e.g. index.php on WS series switches)
Actual Behaviour: WS3 loads configuration page without asking for credentials and allows configuration changes.

I hope we can get a quick fix to this, don't really like the idea of core hardware being wide open.

[mayheart]

Well this ones a security risk, details:

Switch Model: WS3-14-600-AC
Firmware Version: 2.0.7
Issue: Switch does not require credentials to access web interface and change settings.

Steps to Reproduce:
1. Open a new browser (preferably a private/incognito window to rule out cookies)
2. Navigate to https://WS3_SWITCH_IP/main.html
3. Switch will load the web interface and allow configuration changes
4. Note that going to https://WS3_SWITCH_IP will still ask for credentials

Expected Behaviour: WS3 will redirect browser to login page (e.g. index.php on WS series switches)
Actual Behaviour: WS3 loads configuration page without asking for credentials and allows configuration changes.

I hope we can get a quick fix to this, don't really like the idea of core hardware being wide open.

Can confirm this bug works.

[Hightech]

We just installed our first WS3-14-600-AC upgraded from a WS2-24-400A but there is something wrong with the trafic reporting in the web interface it report up to 3,5 Gbps on a 1 GB port... my guess it is a factor 10X to mouch?!
so my guess it is 350Mbps and not 3,5 Gbps trafic

Br.
Carsten

[mayheart]

I've confirmed the "error saving configuration" problem is caused by the security bug Garnet reported.

If you force a login by going to https://unit/ instead of https://unit/main.html the problem goes away.

[mayheart]

Any update on when this severe security bug will be fixed?

[Garnet]

As Netonix has had several months to at the very least follow up on this severe security bug and has not my company will be filing it as a CVE. We are well passed the responsible disclosure date for what is most likely a one line code change to fix a very real security hole.

[Dave]

new ws3 RC code was released last night from developer....is planned on being released next week after some testing ....all known issues have been resolved...

[michaeln416]

new ws3 RC code was released last night from developer....is planned on being released next week after some testing ....all known issues have been resolved...

This is great news. Looking forward to installing it and testing it here.