Untangle v15.1.1 Emergency Update

[Sky-Knight]

For the first time I'm aware of in Untangle history, Untangle has forced an out-of-band emergency update.

Untangle uses a customized GRUB to boot, and there was a CVE regarding security issues with GRUB2 back in July. There was a date release of Untangle v15.1 released a couple of weeks ago that got the Debian provided GRUB patch, but lacked the appropriate configuration changes to the GRUB configuration files...

As a result, if your unit has this date release, it can't boot anymore... because the boot sector is mangled...

Untangle v15.1.1 addresses this, it will install if your system needs it automatically even if you have upgrades disabled. If you have upgrades enabled the update seems to follow the assigned schedule, if you have upgrades disabled it seems to install whenever the heck it wants.

The update doesn't stop network traffic flow, nor does it require a reboot. So other than freaking out the admin if it happens to be doing it while you're trying to configure Untangle to do something it's largely invisible.

In the meantime, if you're on v15.1.0 try not to reboot until you're on v15.1.1... just in case. Grub can be fixed, but it's honestly easier to reinstall the platform instead if the unit becomes a brick. But that's the issue, thousands of Untangle servers that are standing time bombs, running happily until they reboot... unless this update is applied.

 

[Sky-Knight]

Courtesy of Matt via the Untangle forums. The bug can be repaired with Debian 10 installation media via the following process:

--- Fix Instructions ---

1. Download and burn a live Debian based linux distro to usb. Since I work in security, I used Kali linux for this along with Belana Etcher
2. Reboot to the usb. Within the gui, start a terminal
3. Run the below commands

sudo -i
fdisk -l
(look for the drive that has a linux and swap partition, usually /dev/sda1, the below is w/ sda for the example)

mount /dev/sda1 /mnt
apt-get update && apt-get install grub2 -y
grub-install --root-directory=/mnt/ /dev/sda
If the grub update was successful, you should be able to reboot normally

Officially the only fix is to reinstall the brick, unofficially anyone around here that knows linux at all can simply replace Grub and get on with their lives.

 

[Sky-Knight]

@YeOldeStonecat Tagging you here, relevant to your questions on the Untangle forums. I'm assuming you'd like to know about the fix above, even if as an MSP you'll very likely choose to not use it. Reinstall / restore backup is more tier 1 friendly after all.

 

[YeOldeStonecat]

@YeOldeStonecat Tagging you here, relevant to your questions on the Untangle forums. I'm assuming you'd like to know about the fix above, even if as an MSP you'll very likely choose to not use it. Reinstall / restore backup is more tier 1 friendly after all.

So from that thread I take it only rigs that were at 15.1.0 were at risk of a reboot. And that any rigs at 15.1.0 should be now be at Build: 15.1.1.20200905T150556.8ca624f09e-1buster from their secretly forced update? So if we see them at 1buster....should be good?

 

[Sky-Knight]

@YeOldeStonecat

Untangle is being annoyingly vague on that point, but I *think*... the bug was in 15.1.0 build 2020-08-26.

So if you look at the string above, it's the first pile of numbers, it'll be 15.1.020200826XXXXXXXX for the bugged release.

But I don't know if the 2020-06-02 build is OK... it might be the problem release too, and the 8-26 release was shoved out to attempt to fix things more naturally.

https://wiki.untangle.com/index.php/Date_Changelog

Looking at your example, it's the first bit of the numbers that matter, not the last: 15.1.1.20200905

That's Untangle v15.1.1 release 2020-09-05 which is current.

Also, side note... a minor miracle has come out of COVID, and while Nexgen cannot deliver hardware nearly as fast as we used to. It looks like 500 and up appliances will all have full out of band management going forward... Jim and I are still working through that.