Firmware update: Ubiquiti EdgeMAX EdgeRouter 2.0.9 hotfix 1

Ubiquiti Networks has released a hotfix for version 2.0.9 of the firmware for the EdgeMax EdgeSwitches. The EdgeSwitches are characterized by extensive setting options, but require some network knowledge to get it running properly. Also, not all settings can be adjusted via the gui, so you have to start via the command line. The list of changes and improvements for this release is as follows:

Overview

The ER-X/ER-X-SFP/ER-10X/EP-R6 has more limited storage, and in some cases, an upgrade may fail due to not enough space. If this happens, remove the old backup image first (using delete system image CLI command, see here for more details) before doing an upgrade.

More details can be found in the release notes below. Please give it a try if you are interested in the new features/changes to help us test them so that we can get the release out sooner! Thank you very much!

Improvements

after

Bug fixes

• [Security/DNS] – Fix dnspooq vulnerabilities in dnsmasq
• [Security/Upgrade] – Remove -k (aka –insecure) flag when downloading firmware update via CLI with curl
• [SNMP] – Backport multiple snmpd memory leak fixes from upstream (1pc, 2nd and 3rd)
• [UNMS] – Fix memory leak in udapi-bridge process when UNMS is enabled
• Upgraded following Debian packages: dnsmasq (2.79 => 2.83)

Known issues

• [DPI] – Sometimes DPI is reporting wrong rx/tx counters
• [Offloading] – L2TP IPSec traffic is not being offloaded on Mediatek-based routers (ER-X, ER-X-SFP, EP-R6)
• [Offloading] – VLAN traffic is not being offloaded on ER-12
• [dnsmasq] – latest dnsmasq v2.83 has regression that causes DNS request to be resent during heavy load (details here). We will fix this issue in upcoming v2.0.9-hotfix.2 firmware update:
• The symptoms are random log messages reporting “failure to send packet” and the DNS query associated with this is lost.
  Retries of the query do not fail, so the operational effect of this is minimal.
  To trigger the bug, dnsmasq:
  1) has to be under fairly heavy load,
  2) and be configured for a mixture or IPv4 and IPv6 upstream DNS servers
  3) or, possibly, be using –bind-interfaces.
• [dnsmasq] – shell command dnsmasq –version is reporting old v2.79 version instead of v2.83. This is a pure cosmetic issue, please ignore it – dnsmasq was indeed upgraded to v2.83. This issue will be fixed in v2.0.9-hotfix.2 firmware
• [sudo] – Known CVE-2021-3156 sudo vulnerability is present in v2.0.9-hotfix.1 but it can not be exploited because non-privileged users do not have shell account. Nevertheless we will patch sudo in upcoming v2.0.9-hotfix.2 firmware

Additional information

EdgeRouter firmware can be installed via CLI, WebGUI or UNMS. Detailed installation instruction is available here.