EAP225 AC 1200 Ver 2 - Omada Software - what about linux new release?
Hi all,
i'm ahhpy using 2xEAP 225 with Controller Software.
Some days ago new release was published (Omada_Controller_v2.7.0_Windows32bit , https://www.tp-link.com/en/download/EAP-Controller.html#Controller_Software).
Linux release is still at 2.5.1.
There's a chance for a new linux release?
thank you.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
See this post: https://community.tp-link.com/en/business/forum/topic/150035
- Copy Link
- Report Inappropriate Content
Hi,
We are developing new version Omada Controller Linux now, it won't take too long to publish it. Any update, we will informed you in the forums.
Best wish,
Jonas
- Copy Link
- Report Inappropriate Content
thank you very much to move windows software to a linux environment.
while this is a good news, i'll wait official linux release from tp-link.
I see previous work on trap windows sw and move it in a linux environment.
Why Tp-Link does not made official release in a quick way as your work?
- Copy Link
- Report Inappropriate Content
Hi LorisAlbanese,
I'm in a hurry because I wait since June last year for fixes to a root exploit I did discover when EAP Controller v2.4.7, first version for Linux, was released. Back then, I informed TP-Link about those holes and did sent them a modified start/stop script, which fixed at least the root exploit.
You can even find those postings from June 2017 here in the forum in the discussion about the missing Privilege Separation in previous versions of EAP Controller.
From what I saw now, the attack vector for Privilege Escalation has been finally fixed by TP-Link in v2.7.0, although I don't know (yet), wether Privilege Separation will be introduced by the official v2.7.0 or wether TP-Link just closed the attack vector (port 1099, Java RMI) visible to the outside. We will see.
That's why I'm in a hurry - our company has deployed EAP Controller on a public Internet server. It has been reported that the root exploit was successfully used by hackers on at least two servers I know of, one of these a server of my customer. So the early adaption of my fixes could help to mitigate those attacks after the systems had been restored.
Other security fixes from TP-Link appeared in EAP Controller v2.6.1, which unfortunately was available only for Windows, so I made a Linux version. In detail, those security-related bugs, which were already openly discussed in hacker forums, were supposedly fixed in v2.6.1:
CVE-2018-10164: Cross-site scripting (XSS) vulnerability via portalPictureUpload
CVE-2018-10165: Cross-site scripting (XSS) vulnerability via local user creation functionality
CVE-2018-10166: Cross Site Request Forgery vulnerability in authentication tokens
CVE-2018-10167: Hard-coded cryptographic key attack vector
CVE-2018-10168: Privilege Escalation attack vector
I strongly urge anyone running EAP Controller < v2.7.0 on Linux or < 2.6.1 on Windows to upgrade to Omada Controller v2.7.0 and JRE8 as fast as possible. Exception: the community version of EAP Controller v2.6.1 for Linux is relatively safe already.
- Copy Link
- Report Inappropriate Content
jonas wrote
Hi,
We are developing new version Omada Controller Linux now, it won't take too long to publish it. Any update, we will informed you in the forums.
Best wish,
Jonas
I contacted support asking about 2.7.0 for Linux and they said it would be 1-3 months, I hope that's not true.
- Copy Link
- Report Inappropriate Content
miked315 wrote
I contacted support asking about 2.7.0 for Linux and they said it would be 1-3 months, I hope that's not true.
I did wait months until the release of the first Linux version 2.4 (from 2016 to July 2017) only to discover that it missed Privilege Separation.
As did version 2.5 of November 2017.
Why don't you use the community version of Omada Controller 2.7.0 for Linux in the meantime?
Its start/stop script for Linux has been tested and constantly improved for more than a year now (precisely, I published the first version of tpeap in the old forum at 2017-07-21 already, just few days after the first Linux version 2.4.7 appeared).
Remaining files are original Java files - very same as in the Windows version - and latest Open Source version of mongodb and Oracle's JRE 8 both to be downloaded from their official repositories (Debian / Devuan / Raspbian / Ubuntu / Fedora / Slackware / Oracle / younameit).
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 1637
Replies: 6
Voters 0
No one has voted for it yet.