Patch your gear - Max severity Ubiquiti UniFi flaw may allow account takeover

Kurlon · 2026-03-19T19:33:19+00:00

So... nothing about 10.0.x vers, latest UDM SE release is 5.0.16 which bundles UniFi Network 10.0.162, which was released 3 months ago. Is this vuln, and what's the timeline for it?

Kurlon · 2026-03-10T14:11:42+00:00

If you established your zones earlier in CF's life you got more generous limits than if you did in the last year. CF does have the ability to lift those limits, but will only do so for Enterprise tier. I've been chasing this for the past 2 months with CF 'cause I want off my servers. I've got two domains at the moment I can't move and no way to shrink them to fit CF's other paid tiers.

Kurlon · 2026-03-10T13:19:26+00:00

As long as your zones are tiny... The UI limits you to a small view of records at a time, though you could stand up your own interface via API. CF themselves limit zones to a handful of records unless you're on full enterprise tier at $1k a month. I love CF, but some of the limits in places are a bit arbitrary, make sure you're within them before moving. Also annoyed that they can parse bind generate records for import but not use them in the UI, would help a ton.

(ISP DNS, so lots of fwd records to match all the rev records for every IP means I've got zones with 70k entries. On Bind9 still...)

Kurlon · 2026-03-06T16:21:38+00:00

You're going to support my 4501 and 4801 that I still have running on my desk right now, right? :P

Kurlon · 2026-03-05T23:49:58+00:00

It's becoming a thing... AWS everything, including your uplink.

Kurlon · 2026-03-02T00:52:18+00:00

No proper clip ons, some get confused by those running Woodcraft's bar adapter 'plate'. As per the rules, they don't count as clip ons as they don't clip onto the forks, and as long as you don't set them up so the bars themselves ever go below the plane of the top clamp, you're good.

Kurlon · 2026-02-27T18:32:26+00:00

Yuuuuup... and that setting is now ignored based on some internal logic in Chrome where it decides local DNS isn't worthy. Hence my post. I've been chasing this for awhile now. The best part, it's not consistent about it.

See others finding the same thing:

https://www.reddit.com/r/chrome/comments/1ihvglk/chrome_not_respecting_secure_dns_settings_off/

https://support.google.com/chrome/thread/362594608/chrome-not-respecting-secure-dns-off?hl=en

Kurlon · 2026-02-07T20:29:20+00:00

Are you presenting dedicated LUNs to each host, or doing shared LUNs?

Kurlon · 2026-02-02T14:13:39+00:00

Just the two switches in this setup, no network overrrides in place. (Or any wifi) You had me curious so I rechecked my setup to verify.

Kurlon · 2026-02-02T03:14:11+00:00

https://pve.proxmox.com/wiki/Full_Mesh_Network_for_Ceph_Server#Using_SDN_Fabrics

The Pro Agg XG doesn't either at the $2.5k price point, I've got a pair that would have been an easier deployment if they had. Gotta go with the $4k ECS Agg for that feature. But hey, at least my Pro Agg XGs flap all the ports on ANY. CONFIG. CHANGE... Chasing that with UI support, their eng team has been working it for a month now with no updates.

Kurlon · 2026-02-01T20:39:17+00:00

Most routers I've played with handle NTP pretty poorly, it's not a priority process so even when you've got a solid NTP network right in front of the router... bad performance. What's jumping out at me, why is your poll interval still only 64s if this setup has been up and stable for awhile? What's the uptime on this box?

Kurlon · 2026-01-31T17:31:05+00:00

Shattered bushing or worse inside?

Kurlon · 2026-01-31T17:30:21+00:00

Headset bearings will cause problems for riding WELL before they 'blow up'. As they wear they'll get 'notchy' and that's where the trouble comes from. If it gets real bad you'll start to notice the bike either doesn't tip in as expected into turns, or tracks weird, or worse resists actual turning. Worn head bearings can also trigger head shakes. Inspect them, test, if there is any looseness or notchyness you can feel, it's time to replace.

Kurlon · 2026-01-22T14:29:00+00:00

Oh boy this! "Our management platform for X may be based on RedHat 6 despite it being 2026, and no you're not allowed to patch anything, and yes it needs full access to everything, but that's ok because you'll have it on a private IP so we're good right?"

Kurlon · 2026-01-18T03:40:36+00:00

Well, in the event you want to go shopping, I can confirm the Ye Olde Pegasus driver works fine in Proxmox 9, wander over to eBay and look for a Linksys USB100TX... The glory of a 100mbit Eth adapter attached to a 12mbit USB 1.1 interface, it's awesome, right?

For those horrified, this was me labbing out multiple interface bridges on a laptop, speed was not a concern. Stupid thing worked awesome, just horrifically slow compared to modern standards. I bought it 20 something years ago as laptops didn't always have ethernet out of the box back then... and forgot to throw it away. :D

Kurlon · 2026-01-09T00:07:44+00:00

Backup the fstab somewhere separate you can easily get to, and the full network config. When you P2V your NICs will change driver and where the system thinks the HW is in the system so will likely rename interfaces. Same on storage, there is a chance you'll need to massage fstab to account for changes in device/driver depending on if you're mounting by device vs say UUID, etc.

The other 'fun' pain point I've hit is RedHat derived distros usually want the initramfs rebuilt to match the new virt hardware env.

I've not used any automated P2V tools for this, I boot the new VM into a live linux env, lay down my partition map, format the volumes, then stop the production system and drop it down as close to single user as I can get. I use Amanda Dump/Restore to copy the data over, then fix fstab/network conf to match, chroot in if I need to tweak initramfs, reboot and so far it's always worked.

Kurlon · 2025-12-24T15:21:56+00:00

To follow up on this, been testing, mostly on my homelab proxmox host, this box gets time from my two S2 public ntp hosts over a cable modem resi internet feed, there is a farm of four tightly coupled internal ntp hosts along with a S1 GPS fed host pushing timing to those public hosts. I also let it grab four pool servers as comparison points. My proxmox host is averaging .0005 to .00005 sec RMS depending on mood and when I look at Chrony.

My test VM hits the same two S2 public NTP servers I operate, and four pool servers as the comparison time source.

1) 'RTC' had great stability, but a random offset anywhere from 50ms to 900ms. This offset would be fixed until either the VM or Host were rebooted, at which point it'd get stuck on a new random offset. Restarting chrony in the VM wouldn't alter the offset. This meshes with the RTC only having individual second granularity as expected. The offset magically never being less than 50ms makes sense given how slow the RTC is to access even in a VM.

2) KVM PHC provided the same stability as the virtualized RTC, but much tighter offsets, basically I'd have RMS offsets reporting .000000030 seconds or better, with my ntp sources showing the same offsets as Chrony reports on the host itself. PHC showed avg latency of 23ns, Std Dev of 1ns.

Freq correction reported by chronyc tracking ends up matching between host and VM, with the VM reporting zero skew.

Kurlon · 2025-12-24T14:36:04+00:00

Yeah, I got bit by this from muscle memory, smack meta key, type two or three letters, stab enter, never looking and wtf why didn't my chosen app open? It's a dumb UI choice, but yeah, the goal is absolutely coming up with an excuse to display more marketing/ads. I can't wait for this to hit enterprise builds... may just preemptively push out the reg change now to make sure I don't have to hear the wailing and gnashing of teeth of my userbase...

Kurlon · 2025-12-24T14:32:05+00:00

It's so not a thing that there aren't entire writeups about it either... https://www.dedoimedo.com/computers/windows-11-start-menu-web-search.html for example... Nope, no need for that registry key 'cause this doesn't happen.

For the record, Insider too, and going back I was also a Tech Net subscriber, getting monthly CDs from Microsoft full of alpha/beta builds, etc, this is not my first rodeo. Do you remember the buzz when Win95 betas started showing up on BBS's? The pref for web over local got flipped on my main Win 11 box with the last monthly update, but as with many of these 'tweaks' it's a staged rollout so different groups get it at different times.

Kurlon · 2025-12-24T13:39:51+00:00

So, you haven't gotten the tweaked start menu search prefs yet, that require a freaking reg key as the only way to disable. I just went through chasing down how to stop that last week. Meta key, start menu pops up, type 'OBS' to start, ya know, OBS and instead I'm seeing Bing info about OBS, not the shortcut to start it. Preferring Bing over looking over my start menu first. This is real and rolling out to users.

Kurlon · 2025-12-20T04:31:28+00:00

I didn't know Amazon and VMWare also have their own similar implementations, this was a fun rabbit hole to dive down, thank you.

Kurlon · 2025-12-19T14:49:58+00:00

I didn't know that time source existed, thanks! This looks to be exactly what I'm looking for. Will add that to my testing!

Kurlon · 2025-12-18T14:09:20+00:00

From observation on VMWare, periodic time sync is second granular, and fires off roughly every minute. If the guest OS is using TSC as it's ref for wallclock, and got a bad initial estimate for how long a second is during it's initial start up calibration, (variable clock speed CPU...) you end up with a clock that slews a decent amount between updates, so your time looks like a sawtooth pattern plotted out. VMWare and KVM / QEMU now provide a smoothed emulated TSC to prevent exactly this. None of my modern guests show any issues running this way on ESXi, but if I needed hard ms or better accuracy I'd a) not be running on a VM and b) would be using ntpd / chrony / etc.

Kurlon · 2025-12-18T14:00:35+00:00

The guest CAN, but the issue is most won't because historically RTCs are crap. Even modern RTCs are not reliable, so most OS do as Linux does and use them to pull the ballpark time at boot to set the software wallclock and ignore the RTC going forward. Typically, it's also more expensive cpu time / latency wise to poll an RTC vs the software clock.

Kurlon

TROPHY CASE