Digi EX12, EX12-PR, EX15, EX15W, EX15-PR User Manual

...

Download

DIGI INTERNATIONAL

9350 Excelsior Blvd, Suite 700 Hopkins, MN 55343, USA +1 (952) 912-3444 | +1 (877) 912-3444

www.digi.com

Digi Accelerated Linux (DAL) Release Notes

Digi Accelerated/Enterprise Routers

Version 21.2.39.67

INTRODUCTION

This is a major firmware release for all DAL supported products. This is a mandatory production firmware release.

SUPPORTED PRODUCTS

· Digi EX12/EX12-PR

· Digi EX15/EX15W

· Digi EX15-PR/EX15W-PR

· AcceleratedConcepts 5400-RM

· AcceleratedConcepts 5401-RM

· AcceleratedConcepts 6310-DX

· AcceleratedConcepts 6330-MX

· AcceleratedConcepts 6335-MX

· AcceleratedConcepts 6350-SR

· AcceleratedConcepts 6355-SR

KNOWN ISSUES

· Cellular metrics are not shown under the Settings → Status → Communications section of Digi Remote Manager, but are shown under the Data Streams for the device. [DALP-768]

· Health metrics are uploaded to Digi Remote Manager unless the Monitoring > Device Health > Enable option is de-selected and either the Central Management > Enable option is de-

selected or the Central Management > Service option is set to something other than Digi Remote Manager [DAL-3291]

· Wired Internet connectivity is interrupted during cellular modem firmware updates [DAL-4647]

· The cellular Access technology configuration option is ignored if carrier PLMN locking is

enabled [DAL-4693]

UPDATE BEST PRACTICES

Digi recommends the following best practices:

1. Test the new release in a controlled environment with your application before you update

production devices.

96000472_C Release Notes Part Number: 93001323_T Page 1

2. Unless otherwise noted, apply updates in the following order:

a. Device firmware b. Modem firmware c. Configuration d. Application

Digi recommends Digi Remote Manager or Digi aView for automated device updates. For more information, follow the instructions for Digi Remote manager or Digi aView in the links below:

1. Instructions for Digi Remote Manager:

https://www.digi.com/resources/documentation/digidocs/90001436-13/default.htm#tasks/t_update_device_firmware.htm

2. Instructions for Digi aView:

https://www.digi.com/resources/documentation/digidocs/acl-kb/default.htm#Subsystems/kb-6300-cx/update-firmware.htm

If you prefer manually updating one device at a time, follow these steps:

1. Download the firmware file from the Digi firmware support page.

2. Connect to the device’s web UI by connecting your PC to the LAN Ethernet port of the device

and then going to http://192.168.210.1.

3. Select the System tab on the top navigation bar of the page, then select Firmware Update.

4. Select the Browse button in the Upload file section.

5. Browse for and select the downloaded firmware file.

6. Click the Update Firmware button.

TECHNICAL SUPPORT

Get the help you need via our Technical Support team and online resources. Digi oers multiple support levels and professional services to meet your needs. All Digi customers have access to product documentation. firmware, drivers, knowledge base and peer-to-peer support forums.

Visit us at https://www.digi.com/support to find out more.

CHANGE LOG

Mandatory release = A firmware release with a critical or high security fix rated by CVSS score.

For devices complying with ERC/CIP and PCIDSS, their guidance states that updates are to be deployed onto device within 30 days of release

Recommended release = A firmware release with medium or lower security fixes, or no security fixes

Note that while Digi categorizes firmware releases as mandatory or recommended, the decision if and when to apply the firmware update must be made by the customer aer appropriate review and validation.

VERSION 21.2.39.67 (February 27, 2021)

EX12-21.2.39.67.bin

SHA512:

d1cd96a3a0004874209ad87acef74cd80ae695eda4d614c7ee07e54fa4635980cdd8d13c d28c045e8e9b8a5aac18e509032580c8b7f9a2f64f01f2c54bc65fd3

MD5: 6f422c1c3f1324b5c58c72b23c4d0e8d

EX12-PR-21.2.39.67.bin

SHA512:

e8b6eb1e2ebd4f810e103138fdd8fa9e0a3cb3ee9a613a635984e28fded6a873fa2781211 4628adfc63f5310e8114ee48de0d3959ededf6c1c3d2962d05653d5

96000472_C Release Notes Part Number: 93001323_T Page 2

MD5: 212e450aa6eec6e6ef76d4b39553e3e9

EX15-21.2.39.67.bin

SHA512:

ca00f52fd57c901115fb360ec22b2591de9b7eca542b1a14c8385d00423a2f9dadbcc68a0 a6d5067a7568d77199a361d68609431ccd5fa2ebdb075587bb16d77

MD5: b4db0fb96d39ca1742c1a24d653b479c

EX15-PR-21.2.39.67.bin

SHA512:

a16fef890859003ef2f5e39b453a3425b84358be6c6427a17af69cd77179097aa5a4a0932 6c696ec9b238dc511f8e3a66f2b6fae416eb051504b9a8ddf677e86

MD5: 8323ef118600a4e1a9da481095ee6d57

EX15W-21.2.39.67.bin

SHA512:

a252302c2c6208dd243e1088b87e5e69d656586dc67060043303fcd7dbc07d0a9bf47840 42d974dd6c4975d115e559b7bf6be593c1587e398e0f8d2a3976d150

MD5: ad4807daf027489f586a5db03391963d

EX15W-PR-21.2.39.67.bin

SHA512:

7a5f2d2009d4667d6275f7d70733d59359a608dae7983cb17073877f9bf0c324c6736faf5e 3384248f3f5eec6e6be79bb0ecb19c9f660f69114735f42ccbbaf0

MD5: 956d2134b32efc2522a7796bc732b072

5400-RM-21.2.39.67.bin

SHA512:

5fd6aaa4461cfadf8e99357453cd98eeb37f87e4db5c7b86876f15963e646ef8cf8a3ceaf20 83810e074f17a46d47dff83a1bb697914ee7519cd182b432a5dd7

MD5: e7f807e658ad07554295ad5e3ab483e1

5401-RM-21.2.39.67.bin

SHA512:

bdb09db0a6dcd78caa070a2d34201a44e3566d29825b0b504d8a5e5bdf5e7bdbb66c6c1 bf56ac8e89c2b983ff537878f7492a88ca9366cafa07eebe39aaf3ed9

MD5: 160aed03d7468a60f7c7b5d6f5934df3

6300-CX-21.2.39.67.bin

SHA512:

2ccbc4023724efc8010389f14d155b723b1d2ccc2eccf8b415bc43a84aac934a8b9cba494 1dfd09284a9ada8b8dca4980720005c3a3223c0192adb91d13f3db4

MD5: 4fede0c4124b4db8d90a1c23ef8b82af

6310-DX-21.2.39.67.bin

SHA512:

03065095a051aaa72dfcf18d8ece4f41541c32e281879e6e471e85ec1dcb2eac38efb2986 ddd6bb167e2f7e1f4e17cb2d3c57ad511869e7b7f4ef2925a1a4da2

MD5: 0fbf35610bdb32a2507149758759a708

6330-MX-21.2.39.67.bin

SHA512:

e1d74d7ab50edfb2f045fde9e43d0acaaff6acb3486af02bd5f341128f1636e78b403e44d45 05a4a96d4811e01ca7614250e8cd4561305184cea1e7eeeb77c29

MD5: 6871b262946cbbe7f5c32c5bf7

6335-MX-21.2.39.67.bin

SHA512:

cf31b12d714ce03fbe4fa250849d04b17e8fa58d1d4d1484fbb23ff7780beeeea8a14a4feab 95a0e6e937f3a03a22035d52bafe4d39f9d045e90d679c3ff9746

MD5: 15ba4d5c01726f8bce39d88808c4aba1

96000472_C Release Notes Part Number: 93001323_T Page 3

6350-SR-21.2.39.67.bin

SHA512:

b7adadc8e1b63001f746fd6ce355e44960ecb6d03e1c01922b34d648d6466157642e8048 cd0142e062a28d148a3c94eae63df80b8e5c1fc36d04294c791c0b15

MD5: 2fa98f75a606bf21304e8e4f8221cf

6355-SR-21.2.39.67.bin

SHA512:

e38794189d5fff5e910bbd43066c714fef9f2a7773248e484bcbaf3c7f2de503da082363b8d 0d57a74c2034012943464c926975c7c81be4d389093e3c70919db

MD5: b0807f0d9e5eb10f8703e4eecc4bd282

FEATURES

1. Add the Location service to all DAL products. DAL devices can utilize several location

sources (cellular, GNSS, or user defined) to determine where it's located and report that to Digi Remote Manager or other servers [DAL-724]

2. Add geo-fencing configuration options. This new features is found under Services →

Location → Geofence. It can be utilized to define one or more circular or polygonal geofence areas and then perform a set of actions when the device enters or leaves that area. Current options for actions to perform are either factory erasing the device or running a custom script. [DALP-711]

3. New modem scan CLI command for listing available carriers for the current modem and

SIM setup.

4. New Network → Interface → Modem → Network PLMN ID config setting to lock the SIM card

to a particular carrier based on its PLMN ID(note that the Carrier selection mode must be set to Manual or Manual/Automatic in order to lock the SIM to a specific carrier) [DALP637]

5. Added local API to the web UI for automated configuration of the device [DALP-777]

6. Support remote CLI commands through Digi Remote Manager [DAL-4273]

7. New configuration options under System → Scheduled tasks → System maintenance to

automatically check for device and modem firmware updates, then notify in the CLI and web UI when updates are available [DAL-4413]

ENHANCEMENTS

1. EX15W: Added new DFS Client Support configuration setting to support 5GHz DFS Wi-Fi

channels in client mode [DALP-720]

2. EX15W: Add 5GHz frequencies to the list of channels that can be scanned for client-mode

Wi-Fi background scanning [DAL-2570]

3. Set 2.4GHz default Wi-Fi bandwidth to 20MHz [DALP-772]

4. Update default background scanning settings for Wi-Fi clients to the following:

1. Scan threshold: -75dB

2. Short interval: 5s

3. Long interval: 300s

5. Updated Surelink recovery of Wi-Fi connections to restart the Wi-Fi module if restarting the

network connection fails to recover the setup [DAL-4387]

6. Added settings under Authentication → Serial to control Certificate Management for TCP

and autoconnect serial port setups [DALP-682]

7. Allow hidden/debug config settings to be controlled and preserved by DigiRM [DAL-4445]

8. Asymmetric preshared keys for IPsec tunnels [DALP-707]

9. Don't display Aggressive/Main mode or Xauth selections for IKEv2 IPsec tunnels [DAL-4142]

10. Update name and description of certificate settings for OpenVPN clients and servers [DAL-

96000472_C Release Notes Part Number: 93001323_T Page 4

4435]

11. Add digidevice.led python module to all products [DALP-710]

12. Add options to forward location information to a remote host over TCP [DALP-778]

13. Add new Forward interval multiplier configuration option under Services → Location →

Destination servers to control the number of location update intervals to wait before sending location data to this server [DAL-4056]

14. Report location metrics as datapoints to DigiRM [DAL-4055]

15. Include the connection uptime of IPsec tunnels as datapoint metrics to Digi Remote

Manager [DAL-4062]

16. Report the phone number of the SIM as a health metric datapoint to Digi Remote Manager

[DAL-4440]

17. Fixed incorrect format of ICCID and IMEI metrics reported to Digi Remote Manager [DAL-

4440]

18. Add iptables TRACE tool for enhanced firewall debugging [DAL-4182]

19. Improved accuracy of the status shown for a modem during a firmware update

20. 1002-CMG4: Disable GEA1 on EG25-G modem [DAL-4250]

21. 1002-CMG4: Disable voice services on EG25-G modules [DAL-4560]

BUG FIXES

1. Fixed issue with utilizing soware flow control on serial ports set in remote-access mode

[DAL-3630]

2. Fix issue where a serial port could lock up and prevent access if flow control was enabled

[DAL-4585]

3. Fixed issue where non-primary DNS were queried through the wrong interface when

use_dns configuration option is set to primary [DAL-3156]

4. Report the phone number of the SIM as a health metric datapoint to Digi Remote Manager

[DAL-4440]

5. Fixed incorrect format of ICCID and IMEI metrics reported to Digi Remote Manager [DAL-

4440]

6. Fixed setup issue between custom firewall rules and IPsec tunnels [DAL-4433]

7. Fixed occasional issue preventing LM940 modems from re-establish their cellular

connection aer a modem firmware update [DAL-2933]

8. Fixed issue requiring a user to fix syslog configuration setting when updating from 20.5.x or

older firmware to 20.8.x/20.11.x firmware [DAL-4426]

9. Fixed rare issue where show system CLI command would display incorrect uptime details

[DAL-4350]

10. Fix issue with secondary CLI sessions showing stale configuration settings if the config is

updated elsewhere [DAL-4446]

11. Updated message displayed in web UI to direct the user to refresh the page aer erasing the

device back to default settings [DAL-2326]

12. Fixed issue where dynamic DHCP leases were not displayed in the CLI or web UI (bug

present on 20.11.x firmware versions) [DAL-4557]

13. Fixed inaccurate status of the Ethernet interface of a device in passthrough mode [DAL-

4543]

14. Fixed issue preventing web UI access if two-factor authentication was enabled (bug present

on 20.11.x firmware versions) [DAL-4509]

15. Fixed issue where CLI commands sent from DigiRM would crash the DAL device's connection

to DigiRM [DAL-4412]

16. Fixed issue preventing WAN/cellular connections from working if the interface was

96000472_C Release Notes Part Number: 93001323_T Page 5

configured with a single Interface Up Surelink test [DAL-4629]

17. Fix rare issue where Wi-Fi hotspots would stop responding to DHCP requests if restarted

many times [DAL-4298]

18. Fixed output of the show wifi ap name <ap_name> and show wifi client name

<client_name> CLI commands [DAL-1615]

19. Fixed inaccurate status of the Ethernet interface of a device in passthrough mode [DAL-

4543]

20. PR products: Fixed issue preventing usage of the digidevice.config python module on PR

firmware products [DAL-4378]

21. EX12: Fixed connectivity of EX12 devices with T-Mobile private APN SIMs [DAL-4544]

22. 1003-CM11: Fixed occasional issue preventing LM940 modems from re-establish their

cellular connection aer a modem firmware update [DAL-2933]

23. 1003-CM11: Fixed timing issue aer updating firmware on LM940 modems that preventing

the modem from reconnecting unless rebooted [DAL-4614]

24. Fixed issue causing aView-initiated speed tests to report the same upload/download speeds

[DAL-4420]

SECURITY FIXES

The highest level vulnerability that has been fixed in this release is listed as a Critical CVSS score of

8.1 High

1. Update hostapd to address CVE-2019-16275 and CVE-2019-13377 [DAL-4232]

2. Update wpa_supplicant to address CVE-2019-16275 [DAL-4233]

3. Update libcurl to version 7.74.0 (CVE-2020-8169, CVE-2020-8177) [DAL-4336]

4. Update to python version 3.6.12 (CVE-2020-14422) [DAL-4364]

5. Update OpenSSL to version 1.1.1i (CVE-2020-1971) [DAL-4326]

6. Update dnsmasq to version 2.83 (CVE-2019-14834, CVE-2020-25681, CVE-2020-25682, CVE-

2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687) [DAL3950]

7. Update web security settings with the following headers [DAL-4192]

1. Pragma: no-cache

2. Content-Security-Policy

3. X-Content-Type-Options: nosni

4. X-XSS-Protection: 1; mode=block

8. Set SAMEORIGIN in X-Frame-Options to uppercase [DAL-4192]

9. Automatically de-activate active user logins/sessions if the password for that user changes

10. Removed support for https CBC ciphers [DAL-4408]

11. Fixed XSS vulnerability on serial page in the local web UI (Bug present on firmware versions

20.11.x and older) [DAL-4646]

12. PR products: Removed debug config options from PR firmware for changing https ciphers

[DAL-4417]

VERSION 20.11.32.168 (December 23, 2020)

This is a recommended release.

ENHANCEMENTS

1. Use PDP context 1 with Telus carrier SIMs [DAL-4332]

96000472_C Release Notes Part Number: 93001323_T Page 6

BUG FIXES

1. Fixed bug preventing Ethernet speed/duplex adjustment (aects firmware version

20.11.32.138) [DAL-4414]

VERSION 20.11.32.138 (December 2, 2020)

EX12-20.11.32.138.bin

SHA512:

8ca00542ccca7a8a03cd720405e2d85a1d78660c804bf312f9599bc404830a7b40074abb 5d3dad60ba7f2402609a2f22dc5f7e793d7dfaf845f8db18c8c68d17

MD5: 73958d8bb5acc31d4f75b3066f04daad

EX12-PR-20.11.32.138.bin

SHA512:

a2d9f823f8753a2cb00c04232f9f314afcddad221b4b76c4d392401d5725a06cd8787231 837c0e7c4329da473afbe6ee861f2ebd4da1e5e8d17f8aac7f1eab

MD5: 211d1005b5c812c3c36d3b55ac355dc2

EX15-20.11.32.138.bin

SHA512:

83fd656aed56d972543f4d19e003825593d79dc439846b03a3d7116599cba9e1c06a55c1 f5c984a01a5f6820c1fc8f5b7491f1a9ef793a2aed223575dac15ef8

MD5: 8fd4e699bd27cc9da81cb726225021c9

EX15-PR-20.11.32.138.bin

SHA512:

efe94ed40519d132067cb2c0239d85428b039cea25f88955313913ade9170f9e990714d ac13d3fc0d0d22630a01145c878482f435f34fea8acb6528c87bc95

MD5: fb31340e93ad3bde71d0e5a5c90fd1dc

EX15W-20.11.32.138.bin

SHA512:

63ad84ec0ca6798137890486076e46b6f4f39447f5f5fed3eeef4e5485a169ace26c919c51 d9f9b2de67cb6ae59768e913270bb526ef0e866fe6889d735deaf7

MD5: 3518774a2339b0babd56c57bd129838d

EX15W-PR-20.11.32.138.bin

SHA512:

9b67783334b0acab900682db7d817d8f9f7cd797601ea5778cc335f36845189a968094b4 29e45a564e33d42614d0030e71a57fc66cbe2321b9fb7994a2b849

MD5: 54c8f6fad147bda2b3d119afe311

5400-RM-20.11.32.138.bin

SHA512:

75a6c795d0bca41f73516f5f1287ca8529f446fdd5ca6d2bbf6062be7e60bd4b2fc9a79dd 98b44c39f33f4cdd834644e9e1004a2c656886a9b51e254e24fc3d8

MD5: 8fe0c22df1a24065b9b1ec32e90e2ded

5401-RM-20.11.32.138.bin

SHA512:

826fbdb9d9c7cd8c768debabf4219d5828ef3e07b3c50d78d94a3d32553ec0696c3cfe05 2d61f773e37d66fc09bf7102a500fb9bf7f37240fb630259e54434

MD5: 8364adb9346a60462941abae20eeb7

6300-CX-20.11.32.138.bin

SHA512:

2b1e79bb7242c2730b5e29aa54ba9f1b8a2b5bd9a2f5b6176f07f1c338aae8a8270d76e2

96000472_C Release Notes Part Number: 93001323_T Page 7

3bbea6e0311233cc9eb0d4b406d73192b57a3736bb9e43f66b6b4f32

MD5: eccedc3709db885fac85a9323c6924e1

6310-DX-20.11.32.138.bin

SHA512:

e63f8d4a08967a20a1876d24b828392667dd904fd23053a032408329118dfc248b658a8a 521084258342fea0d8579916a8a97ba4831b5a2d59d0f6a827a8b77f

MD5: 2f9e15eb0ac42fd1ce74b67eedd28f1d

6330-MX-20.11.32.138.bin

SHA512:

9d87a8256f2326d48c5492b31eb0bc11e7e7e02c916db704f532aeb2e6a48359aadaf58 fa49912c4f873e8fdd657d6578b5a0e061b53df5b51a55597b7f9e8

MD5: 953f27a0d01baa3e84a1b356e1e769b0

6335-MX-20.11.32.138.bin

SHA512:

9b5ecf97e76055ddbfcf836839e41276c9e14707a4ea074c965d3f7194b1710efda59e216 835db75715095d6cf7de76deb01bf5e68849b535b4a57673159ad49

MD5: 461913ddf3b1649155a6de015a54dc76

6350-SR-20.11.32.138.bin

SHA512:

5571ae02a4d2bea4f412906ae91a61d453794007fbddd339d58feca739f93e12233342b0 b3e7718d33fc3a82473e9eb516790eba7a85d1255de0a432006f56

MD5: 6583d1f6001bb872de247c1b193b0480

6355-SR-20.11.32.138.bin

SHA512:

1701987867b894df7a4f22163c7bdc51e8210178fe105146e9976dfe4ef6bee21f9b7ebd 38615ad4da05b5dd2f0795d729b4b8ccbbe66ab80e9eea2c171a35

MD5: 1dc366811ebb098422a174d3c8cdb4

FEATURES

1. EX12/EX15/EX15W: New PR product variants and firmware for FirstNet/ResponseVerify

products [DALP-674]

1. PR stands for Primary Responder and indicates a security hardened, feature-restricted firmware targeted to comply with AT&T FirstNet and Verizon ResponseVerify certifcation security requirements. It is the same DAL firmware under the hood, but with several features removed to comply with FirstNet and ResponseVerify security restrictions. Below is a list of changes for PR products:

1. Services → Telnet removed

2. Removed Telnet option from Remote access options if a serial port was set in

Remote access mode

3. WPA1 Wi-Fi encryption option (WPA Personal) removed

4. Default Wi-Fi SSID disabled by default

5. interactive shell removed

1. Firewall → custom rules always has sandbox enabled with limited shell command and filesystem access to only allow iptables interaction

2. System → Scheduled tasks → Custom scripts always has sandbox option enabled with limited shell command and filesystem access to allow CLI access and python script execution

3. No inbound SCP/SFTP support

96000472_C Release Notes Part Number: 93001323_T Page 8

2. Add ssh and telnet commands to Admin CLI [DALP-664]

3. Add new modem firmware CLI commands for performing local or over-the-air remote firmware updates to the cellular modem(s) in the device [DAL-2811]

4. Add new configuration options under Network → Devices for setting the link speed/duplex of the device's Ethernet port(s) [DALP-135]

5. Add options for starting, stopping, and viewing serial port activity logs through the CLI, web UI, or Digi Remote Manager [DALP-458]

6. Support for the Sierra EM9190/9191 5G modems [DALP-686]

7. Support for the Sierra EM7411 LTE CAT7 modem [DALP-608]

8. IPv6 IPsec tunnel support for full IPv6 tunnels, IPv6-over-IPv4, or IPv4-over-IPv6 tunnels [DALP-581]

9. IPsec XFRM interfaces for enhanced control over IPsec tunnels and the network interfaces associated to them. This allows users to select tunnels for multiple networking features, including static routes, policy-based routes, access control lists, and routing priority based on metric. [DAL-490]

10. Inclusion of the Python pip for installing external modules/libraries [DAL-4078]

ENHANCEMENTS

1. Add Services → Location options for configuring GPS or GNSS location communication [DALP-724]

2. GPS/GNSS support for the 1002-CMG4 modem [DALP-713]

3. Add cellular technology icon to the Dashboard in the web UI [DAL-3673]

4. Add link to product User Guide under the User drop-down menu at the top-right of the web UI [DALP-569]

5. Added help button to System → File System page of the web UI [DALP-569]

6. Added new Status → Modbus Gateway service page to the web UI to display information about modbus clients and servers connected to the gateway [DALP-671]

7. Added show modbus-gateway CLI command to view the status of Modbus gateway service [DALP-671]

8. Updated show modem CLI command to display historical information about the modem if it is in the process of updating firmware [DAL-1504]

9. Added new Services → Ping responder configuration settings for controlling what interfaces and firewall zones the DAL device responds to ICMP requests on [DAL-1565]

10. Enhance IPSec tunnels to wait for passing Surelink tests (if configured) before initiating outbound tunnels [DAL-3878/DAL-3774]

11. Add m2m.telus.iot Telus APN to fallback list [DAL-3911]

12. Add psmtneorm and edneopate010.dpa AT&T APNs to fallback list [DAL-4041/DAL-4045]

13. Add reseller and tracfone.vzwentp Tracfone APNs to the AT&T and Verizon fallback lists DAL-4098]

14. Add new 890103 and 890141 ICCID prefixes and 31030 PMND ID matchers to AT&T APN fallback list [DAL-3934/DAL-4041]

15. Add service.qcdm.secure option to enable/disable encrypted QXDM access to the cellular modem in the DAL device [DAL-3964]

16. Add missing modem firmware and SIM details to datapoints uploaded to Digi Remote Manager [DAL-4040]

17. Show uptime for connection to Digi Remote Manager on the Dashboard web UIpage in days/hours/minutes/seconds instead of just minutes [DAL-3691]

18. Updated network bridges to use the MAC address of the first device listed in Network → Bridges → [bridge_name] → Devices as the MAC address for the bridged interface [DAL-

96000472_C Release Notes Part Number: 93001323_T Page 9

3949]

19. Add link in the firmware update window on the Status → Modem page to direct users to the configuration options to schedule a modem firmware update [DALP-725]

20. Updated the help text on the login page to provide a more generic image [DAL-3916]

21. Added option when copying serial port settings on the System → Serial Configuration page to optionally copy the label of the serial port [DAL-3842]

22. Removed duplicate modem signal information from the Modem → Status page [DAL-3680]

23. Added a DSCP option to policy-based routes to allows users to match the routing rule by the type of DSCP field in the packet [DAL-3867]

24. Added a defaultroute option for matching policy-based routes to the device's active default route [DAL-4130]

25. Hide the Monitoring → Device Health configuration options if the device is not enabled for Digi Remote Manager central mangement [DAL-3825]

26. Update header types for the cellular modem name and network type on the Dashboard page

27. Create system log when Surelink DNS tests are skipped because the interface doesn't have any DNS servers [DAL-4224]

28. Hide main/aggressive mode option when using IKEv2 [DAL-4142]

BUG FIXES

1. EX12: Enable Surelink on cellular modem by default (bug aects EX12 devices on firmware versions 20.8.x and older) [DAL-3795]

2. Fixed missing default settings in configuration profiles created in Digi Remote Manager (bug aects firmware versions 20.8.x and older) [DALP-658]

3. Fixed missing option for setting the SIM Slot Preference in configuration profiles in Digi Remote Manager (bug aects firmware versions 20.8.x and older) [DAL-3912]

4. Fixed format of user passwords when displayed in Digi Remote Manager (bug aects firmware versions 20.8.x and 20.5.338.58) [DAL-3889]

5. Fixed issue with policy-based routing not working in conjunction with multiple IPsec tunnels (bug aects firmware versions 20.8.x and older) [DAL-3515]

6. Fixed issue preventing OpenVPN server-managed certificates from being re-generated if the process was interrupted (bug aects firmware versions 20.8.x and older) [DAL-3803]

7. Fixed issue preventing OpenVPN client from using an autogenerated config file from a tapbridge openvpn server (bug aects firmware versions 20.8.x and older) [DAL-3881]

8. Fixed some formatting output of the show system verbose CLI command (bug aects firmware versions 20.8.x and older) [DAL-3805]

9. Fixed issue preventing VRRP interoperability between DAL devices and SarOS devices (bug aects firmware versions 20.8.x and older) [DAL-4130]

10. Update VRRP+ to properly handle changes in network interface statuses bug aects firmware versions 20.8.x and older) [DAL-4274]

11. Removed poorly formatted script contents from the show scripts CLI command output [DAL-3315]

12. Fixed non-working system disable-cryptography CLI command [DAL-4169]

13. Fixed second-stage erase functionality on devices not enabled for aView management [DAL3944]

14. Fixed issue preventing multicast traic from being sent through a GRE tunnel [DAL-3879]

15. Fixed issue preventing a firewall rule from being setup for OSFPv2 entries [DAL-3869]

16. Fixed rare crash caused when a Quectel modem disconnected [DAL-3867]

17. Fixed behavior of the WWAN Service LED to blink when a modem firmware update is in

96000472_C Release Notes Part Number: 93001323_T Page 10

progress (bug aects firmware versions 20.8.x and older) [DAL-3963]

18. Fixed issue preventing 1002-CMG4 modems from connecting with Verizon private APNs (bug aects firmware versions 20.8.x and older) [DAL-3605/DAL-3276]

19. Removed SIM slot 2 references and options from the configuration settings in the 6300_CX [DAL-3930]

20. Disable the internal Qualcomm GPSoneXTRA application on Telit LE910c4-NF modules from downloading data from the Qualcomm commercial XTRA server (bug aects firmware versions 20.8.x and older) [DAL-4009]

SECURITY FIXES

The highest level vulnerability that has been fixed in this release is listed as a Critical CVSS score of

9.1

1. Secureboot with signed firmware images for the EX15/EX15W (CVSS score 5.7 Medium CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H) [DALP-646]

2. Disallow TCP forwarding from incoming SSH connections [DAL-3938]

3. Remove sensitive information from HTTP GET requests (CVSS score: 5.7 Medium CVSS:3.1/

AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N) [DAL-3938]

4. Update to linux kernel 5.8 (CVSS score: 3.7 Low CVE-2020-16166 CVSS:3.1/AV:N/AC:H/PR:N/ UI:N/S:U/C:L/I:N/A:N) [DALP-678]

5. OpenSSH updated to version 8.3p1 (CVSS score: 2.2 Low CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N) [DAL-3299]

6. OpenSSL updated to vesion 1.1.1h (CVSS score: n/a) [DAL-4037]

7. OpenVPN updated to version 2.4.9 (CVSS score 9.1 Critical CVE-2018-7544 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) [DAL-3862]

8. Linux shell/bash updated to version 5.0 (CVSS score: n/a) [DAL-3763]

9. jQuery updated to version 3.5.1 (CVSS Score: 6.1 Medium CVE-2020-11022 CVE-2020-11023) [DAL-3547]

10. Updated WebU session token to use AES-256-GCM cipher (CVSS score: n/a) [DAL-4000]

11. Prevent web asset access from unauthorized logins (CVSS score: 5.3 Medium CVSS:3.1/AV:N/

AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) [DAL-3835]

12. Add script CSP headers to the web UI (CVSS score: n/a) [DAL-3629]

13. Added extra layer of firmware verification to ensure the firmware matches the target hardware variant and prevent firmware modifications (CVSS score 1.9 Medium CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N) [DAL-3511]

14. Prevent command injection through modemadvanced, modem_install, and firmware webpages (CVSS score: 6.8 Medium CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N) [DAL4093/DAL-4104/DAL-4046]

15. Prevent manual addition of files to an encrypted filesytem outside of the device itself (CVSS score: 6.1 Medium CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) [DAL-4149]

16. Restrict memory allocation of tcpdump (CVSS score: 7.5 High CVE-2020-8037 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) [DAL-4226]

17. Removed expired aView and AVWOB certificates [DAL-3467]

18. Encode MAC address in URL used to sync with aView to prevent privileged escalation [DAL4304]

VERSION 20.8.22.32 (August 28, 2020)

EX12-20.8.22.32.bin

SHA512:

b5f1371048906d6dc452d3db2e041e645f60d590d800955334bb31bada8843b89728d1f

96000472_C Release Notes Part Number: 93001323_T Page 11

e926dfd3fd10f30b0a9b8ccb24f5e47738b6851afa069d54643a6eb98

MD5: b6bef9cbec0b4fe972db73443342e8ee

EX15-20.8.22.32.bin

SHA512:

9ae10cd5000bb8a01ab42bfd4019b56d3657506305724b4d8889cb665b25783c47587cd 09ad4562bc32ecdd9d813449e2216f37e83e9463740988f75e547ecdd

MD5: 1d20c64a6c7cd9f0f5da2bf881a92292

EX15W-20.8.22.32.bin

SHA512:

85162831b4c98c4a9a434b4a9eb57c9e203e33b4982be70f142d921d5db92f0c293b8dcf 38af8eeb0d43b5ad3ad7b855aa4016fe1557417d5c85468f4f9ed481

MD5: 604328982da3a12f45e3f025727d1817

5400-RM-20.8.22.32.bin

SHA512:

c72d28ac55f1d9dd22c12c638d56b8d322c856bad9004b4e588184d6885b1f59a45a1bb 0e1c9e450a25fc2f641a67345118fbd88f6797d6083d4ceadbc75

MD5: 16ef2d441b0f350235bb1671e613779e

5401-RM-20.8.22.32.bin

SHA512:

3bcdb3e979504bd3a9ef11e938d90f3815996eb7de296fb04f46d835682b02fb81100372 de205a4a7cd0cbc6d6f6ee88d48927e989cea023e013682023c173ed

MD5: d7a62d4d5c254a77e088fa81c1e333dd

6310-DX-20.8.22.32.bin

SHA512:

23fef21ee2f1f36f199a19084eea11d56122b5aedb66ee44e557e893e7f6f9a2a477176ae0 e24d80c202609d7614ad022164acf98db35a31c06f72929ecfd2b5

MD5: cd9d262772f73b4a2533f6a217e80457

6330-MX-20.8.22.32.bin

SHA512:

f1d539c3d0dac46fd3af34a0c46f71341b2ab81d968a48d78bc22f09697cb645676d02d9d 0eaeaf96bf26400188e86d46201b00a0d1e6652cf909c6b06f52d85

MD5: 680d983cb67dfdaf95d472112d0d74f6

6335-MX-20.8.22.32.bin

SHA512:

eeca51acdf9104b5dd80a49ed57bea6c096e755e4c50f05f909cb714eaa4ce2dd04aa788 58d16d79838f0a6dee62950113f1b944b079a1bb8f6d2c102d3101cd

MD5: cdef93eb68deceae0c700e926c9e2a

6350-SR-20.8.22.32.bin

SHA512:

cd451d5fd6704c78d7572466b006ef743698cf6525b923160e31aa7df95c3722fbc83c67f0 4406be5bb61baa778143a31a3d8b322387f212e9024530879cc110

MD5: 06cd7ad939156dc778629c5c2083f3

6355-SR-20.8.22.32.bin

SHA512:

89b6bca6237bcc1b31edcedce25e10cf88d51a0c75c09908fe81811ad68fc175a1d3c29f8 c413e7bbcc618cec9684be7297789f39733ac91755e5f912ea17e0d

MD5: 70ea993770c9ab679d432637845c69a3

FEATURES

96000472_C Release Notes Part Number: 93001323_T Page 12

1. Add new System → Scheduled taks → Allow scheduled scripts to handle SMS configuration option to allow custom python scripts to handle sending/receiving SMS messages [DALP-488]

2. Add digidevice.sms python module for sending/receiving SMS messages in a custom python script [DALP-488]

3. Add ability to load custom factory config file from the local filesystem, which if present is loaded when the device is reset to default settings [DALP-394]

1. The config file is the same as what can be downloaded when a user saves/exports the

configuration from the Configuration Maintenance page in the local web UI. That .bin config file can be placed in /opt/custom-default-config.bin

4. DMNR Verizon Private Network support with new settings under VPN → NEMO [DALP-457]

5. Added Serial Modbus Gateway service for utilizing the Modbus protocol to communicate with serial ports [DALP-573]

1. Configuration settings for the Modbus Gateway are found under Services → Modbus

Gateway

6. MQTT client support via Paho Python module [DALP-590]

1. Note: not available on the 6300-CX, 5400-RM, or 5401-RM

7. Added Ethernet network bonding to allow the same MAC address and IP configuration to be shared for multiple physical Ethernet ports in either active/backup or round-robin mode [DALP-589]

1. Configuration options found under Network → Interfaces → Ethernet bonding. Bond

devices created here can then be assigned to network interfaces

2. Note: not available on the 6300-CX, 5400-RM, or 5401-RM

8. VRRP+ options added under Network → VRRP → VRRP+ for validating primary or backup connectivity and automatically changing VRRP priority [DALP-289]

1. Note a SureLink test must also be enabled for the network interface the VRRP entry is

assigned to

9. Cisco Umbrella content filtering options added under Firewall → Web filtering service configuration section [DALP-524]

ENHANCEMENTS

1. Disable voice services on Quectel EC25-AF when using T-Mobile SIMs [DAL-3707]

2. Add -I source address option to the ping CLI command [DAL-3682]

3. Add service.modbus.debug config option to enable debug logging on Serial Modbus [DAL3561]

4. Add Central management configuration options for any DAL product to sync with aView, ARMT, or AVWOB [DALP-626]

5. Add 4GM and 4GT options to the Network->Modems→Access technology settings to specify a CAT-M modem to only connect on LTE CAT-M1 or NB-IoT, respectively [DALP-472]

6. Add options under System → Log → Server list to allow users to specify the TCP/UDP protocol and port of the remote syslog server [DALP-593]

7. Added configuration option under Serial → TCP connection to specify encrypted vs nonencrypted connection types

8. Added configuration option under Serial → TCP/Telnet/SSH connections to enable/disable TCP keep-alive messages and nodelay

9. Added new Base settings checkbox on custom serial configuration page in the web UI to allow users to specify whether they want to copy the base serial settings or not [DAL-3775]

10. Added new Monitoring→Device Health→Data point tuning configuration options to fine tune what datapoints are uploaded as health metrics to Digi Remote Manager

96000472_C Release Notes Part Number: 93001323_T Page 13

11. Added new Monitoring→Device Health → Only report changed values to Digi Remote Manager option to control sending metrics to Digi Remote Manager on the basis of whether the values have changed since they were last reported [DAL-3386]

12. Reduced data usage by 80% (based on default settings) for reporting health metrics to Digi Remote Manager [DAL-3394]

13. Fade Configuration saved pop-up window 5 seconds aer clicking the Apply button [DAL3451]

14. Added new Status → Scripts page in the web UI to view custom scripts and applications configured in the device, along with their status (running vs idle) [DALP-533]

15. Add options in CLI to show and manually stop any custom scripts or applications [DALP533]

16. Added Duplicate firmware option on the Firmware Update page in the local web UI to copy the active firmware to the secondary firmware partition [DALP-565]

17. Add system duplicate-firmware CLI command to copy active firmware to the secondary firmware partition [DALP-565]

18. Move update firmware CLI command to be under system [DAL-3092]

19. Add show vrrp CLI command to display the status of any configured VRRP instances [DAL2953]

20. Use a random unprivileged port for performing ntp time syncs if standard port 123 fails [DAL-3650]

21. Added new Authoritative option under TACACS+, RADIUS, and LDAP user authentication methods to prevent falling back to additional authentication methods if enabled [DAL-3314 & DALP-540]

22. Added new options under Network → Wi-Fi to control Tx Power of the Wi-Fi module (default 100%) and allow multiple RADIUS servers for WPA2 Enterprise [DALP-85]

23. Include up/down status of hotspots in the show hotspot CLI output [DAL-2184]

24. Update to ModemManager 2020-05-19 [DAL-3254]

1. libqmi: updated to 1.25.4+

2. ibmbim: updated to 1.20.4+

3. libgudev: updated to version 233

4. Improved support for Quectel EC25/EG25 modules

BUG FIXES

1. Fixed T-Mobile IPv4 connectivity on EX12 [DAL-3489]

2. Fix LED behavior to account for Surelink pass/fail results [DAL-3688]

3. Fixed issue preventing RADIUS/TACACS+ authentication from working unless local-user authentication was also configured [DAL-3701]

4. Fixed issue preventing 1002-CMG4 modem from connecting with Verizon private APN SIMs [DAL-3276]

5. Fixed issue where device would remain connected to Digi Remote Manager even aer cloud.service was changed to aView or disabled. Rebooting the device previously resolved the issue [DAL-3504]

6. Fixed bug where IPsec tunnels with multiple policies would only properly route traic for the last policy configured [DAL-3448]

7. Fixed missing CPU usage stats in show system CLI output [DAL-2540]

8. Fixed improper value of the active SIM slot in the modem sim-slot show CLI command output when SIM slot 2 was in use [DAL-3569]

9. Fixed issue preventing network interfaces from initializing if the interface name was longer than 7 characters [DAL-2327]

96000472_C Release Notes Part Number: 93001323_T Page 14

10. Fixed issue preventing WAN passthrough mode if WAN was configured with a static IP [DAL3097]

11. Fixed errors displayed in CLI when configuring a USB serial port in remote access mode [DAL-3207]

12. Fixed issue preventing users from configuring an IP address as a remote syslog server [DAL3433]

13. Handle incorrect value occasionally returned by by Telit LM940/LM960 module when querying to see which SIM slot is in use [DAL-3481]

14. Fixed issue preventing cellular modem connectivity if a custom gateway/subnet was configured but the modem wasn't in passthrough mode [DAL-3585]

15. Fixed issue causing aView IPsec tunnel (if enabled) to randomly fail when device was in passthrough mode [DAL-3657]

16. Fixed permission issue on /opt/custom/ directory preventing users from setting up custom CSS and logos [DAL-3710]

17. Fixed issue preventing VLANs from being assigned to Wi-Fi SSIDs [DAL-3113]

SECURITY FIXES

The highest level vulnerability that has been fixed in this release is listed as a High CVSS score of 6.7

1. Update to Linux kernel 5.7 (CVE-2020-10732 CVSS Score: 4.4 Medium

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L) [DAL-3322]

2. Added local user login rate limiting to default lockout additional login attempts for 15 minutes aer 5 login failures per user (Score: 6.7 Medium

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) [DAL-3390 and DAL-3505]

3. New configuration options are under the Login failure lockout section for each user in the Authentication → User settings

4. Prevent /etc/config/start from running when shell is disabled (Score: 5.2 Medium

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:L) [DAL-2846]

5. Prevent file path expansion on Firmware Update and File System pages in the local web UI (Score: 3.2 Low CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N) [DAL-3513, DAL- 3471, & DAL-3518]

6. Prevent cross-site scripting on the Wi-Fi and Bluetooth scanner pages in the local web UI (Score: 3.8 Low CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L) [DAL-3628]

7. Obfuscate text when showing the SIM PIN (Score: 3.2 Low

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N) [DAL-3462]

8. Set HTTP Auth Cookie as secure in the local web UI (Score: 3.1 Low

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N) [DAL-3393]

9. Fixed leaked file descriptors on serial connections [DAL-3202]

VERSION 20.5.38.58 (July 20, 2020)

This is a recommended release

ENHANCEMENTS

1. Increased minimum password complexity to at least 10 characters containing at least one uppercase letter, one lowercase letter, one number, and one special character [DAL-3491]

1. Note: Devices that were running older firmware that had user passwords that do not

meet these minimum requirements aer upgrading to 20.5.38.58 will still be able to use that password to authenticate with the device. However, if the user attempts to update user's password in the DAL device's configuration settings aer upgrading to 20.5.38.58, the updated password must comply with the new minimum requirements

96000472_C Release Notes Part Number: 93001323_T Page 15

BUG FIXES

1. Fixed delay in connecting with FirstNet SIMs caused by interference from Lightweight M2M (LWM2M) service on Telit modules [DAL-3236]

2. Prevent interruptions to QCDM/QXDM port on Sierra modems caused by ModemManager interaction [DAL-3469]

3. Fixed bug preventing dual-APN connectivity with AT&T SIMs and Sierra modems [DAL-3586]

SECURITY FIXES

The highest level vulnerability that has been fixed in this release is listed as a High CVSS score of 6.5, which is rated as a Medium

1. Removed remote_control service used when receiving remote commands from aView/ARMT/AVWOB in favor of HTTPS secure commands. Vulnerability discovered by Stig Palmquist (CVE pending) [DAL-3460]

2. Add failed login attempts to event log sent to remote syslog servers, if enabled [DAL-3492]

VERSION 20.5.38.39 (May 29, 2020)

This is a mandatory release

FEATURES

1. LDAP user authentication [DALP-192]

2. Add option on the System → Firmware Update page in the web UI to have the DAL device query a firmware server for available firmware updates [DALP-481]

3. Added new WiFi → Access points → [ssid_name] → Isolate clients option to enable/disable WiFi client isolation [DAL-2019]

4. Add configuration options under Central management for a proxy connection to Digi Remote Manager [DAL-3150]

5. Added new Enable watchdog configuration option to monitor the connection to Digi Remote Manager, along with options to reboot the device or restart its connection to Digi Remote Manager if the watchdog times out. The default settings are to restart the connection to Digi Remote Manager if the watchdog times out aer 30 minutes [DAL-2954]

6. New application mode for serial ports to allow full control of serial ports through custom python/shell programs. Also allows additional USB-to-serial adapters to be configured and connected to using the /dev/serial/<config_key_name> path [DAL-2807]

7. EX15W/6350-SR: Add new WiFi SSID and passphrase, enabled by default. The default SSID is now <device model>-<serial num> and the default passphrase is the unique default password of the device [DAL-3050]

ENHANCEMENTS

1. Added the ability to configure DHCP pools larger than /24 subnets [DAL-2864]

2. Enable drivers for SD card on EX12 [DALP-512]

3. Add a statusall option to the show ipsec CLI command to display verbose IPsec status [DAL-2711]

4. Use modem PDP context 1 when an AT&T SIM in inserted to match new requirements from AT&T [DAL-3093]

5. Add AT&T FirstNet IMSIs so they can be dierentiated from other types of AT&T SIMs [DAL3163]

6. Added Python HID module to allow the DAL device to control PSUs via Python programs [DAL-2092]

96000472_C Release Notes Part Number: 93001323_T Page 16

7. Allow network analyzer to be configured to monitor any network interface instead of just wired Ethernet ports [DAL-2146]

8. Added option to ping CLI command to ping a broadcast address [DAL-2571]

9. Added new health metric to report the interface used by the DAL device for its configured IPsec tunnels [DAL-2710]

10. Added new health metric to report the LTE SNR value of the modem(s) on the DAL device [DAL-2904]

11. Limit metrics upload to no more than 2 per minute if backlogged [DAL-2870]

12. Added new Locally authenticate CLI configuration option to control whether a user is required to provide device-level authentication when accessing the console of the device through Digi Remote Manager. Default is to allow console access without providing devicelevel authentication, since the user is already logged in and authenticated through Digi Remote Manager [DAL-1510]

13. Report device SKU in RCI response to Digi Remote Manager [DAL-2940]

14. Add wbdata APN to fallback list [DAL-3182]

15. Improved recovery of Telit modem firmware updates should the update get interrupted [DAL-2984]

16. Fixed spelling of System utilization chart on Intelliflow page in the local web UI [DAL-2260]

17. Added new Health sample upload window debug configuration option to provide a delay window/jitter when uploading health metrics to Digi Remote Manager (default 2-minutes) [DAL-2607]

18. Commonize the format and naming of rx/tx health metrics reported to Digi Remote Manager [DAL-2896]

19. Add IPv6 options to traceroute CLI command [DAL-2618]

20. Add count of bytes transmitted and received to the output of the show network interface X CLI command [DAL-2980]

21. Updated mmcli-dump command used when generating a support report to only run its list of AT commands on the cellular modem once [DAL-3013]

22. Updated placement of the Apply button on the Device Configuration page of the web UI to account for usability on smaller screens and keep it always visible when scrolling [DAL3029]

23. Display the secondary/alternate firmware image version as the Alt. Firmware Version in the output of the show system CLI command [DAL-3057]

24. Retain modem firmware files in the event that the firmware upgrade was interrupted [DAL2856]

25. Renamed OpenVPN server device type configuration options to clarify which options are OpenVPN managed versus device-only [DAL-2857]

26. Changed the Idle timeout configuration settings for remote-access serial ports to use to blank instead of 0s, to better match the format of the Idle timeout option for user login sessions [DAL-2623]

27. Added a 5-second wait time between setting LTE band configuration updates on a Telit modem and rebooting the modem to apply the configuration change [DAL-2972]

28. Add support for AES_GCM family of IPsec ciphers [DAL-2715]

BUG FIXES

1. Load FirstNet-specific firmware on Telit LM960 modems when a FirstNet SIM is present (bug aects firmware versions 20.2.x and older) [DAL-3163]

2. Fix VRRP crashes by upgrading keepalived to version 20.0.20 (bug aects firmware versions

20.2.x) [DAL-3181]

96000472_C Release Notes Part Number: 93001323_T Page 17

3. Prevent IPsec tunnel from being setup if its local network/interface is down (bug aects firmware versions 20.2.x and older) [DAL-2336]

4. Fixed rare issue where the cellular modem could not initialize aer resetting the modem (bug aects firmware versions 20.2.x and older) [DAL-1409]

5. Update analyzer to continue running even if the users SSH session ends (bug aects firmware versions 20.2.x and older) [DAL-2154]

6. Prevent re-uploading of invalid health metrics data if Digi Remote Manager sends a response that the contents of the health metrics are invalid (bug aects firmware versions

20.2.x and older) [DAL-2868]

7. Fixed bug preventing stale conntrack entries from being flushed when a WiFi-as-WAN (client mode) network changes, connects, or re-connects (bug aects firmware versions 20.2.x and older) [DAL-2775]

8. Fixed timing issue where an IPsec tunnel configured to be built through a specific interface would not be brought down properly if that network interface went down (bug aects firmware versions 20.2.x and older) [DAL-3023]

9. Fixed issue preventing backup IPsec tunnel from being established when primary/preferred tunnel was down (bug aects firmware versions 20.2.x) [DAL-3024]

10. Fixed intermittent reporting issue where web UI and CLI would list the modem as registered when it was actually connected (bug aects firmware versions 20.2.x and older) [DAL-2329]

11. Fixed failing SureLink IPv6 ping tests (bug aects firmware versions 19.11.x through 20.2.x) [DAL-2488]

12. Fixed issue with applying policy-based routes to incoming packets from the Internet (bug aects firmware versions 20.2.x and older) [DAL-2589]

13. Fixed bug preventing passthrough mode from functioning if multicast was also enabled (bug aects firmware versions 20.2.x and older) [DAL-2709]

14. Fixed rare issue with not receiving a SCEP certificate from the server due to timing issues between requesting the certificate with a private key and when that certificate can be downloaded (bug aects firmware versions 20.2.x and older) [DAL-2850]

15. Fixed error displayed in show modem CLI output when modem was not connected (bug aects firmware versions 20.2.x and older) [DAL-2959]

16. Fixed bug preventing local configuration backups if the configuration directory contained files or directory paths longer than 100 characters (bug aects firmware versions 20.2.x and older) [DAL-3137]

17. Fixed issue preventing automated and console-based OTA modem firmware updates on Telit LE910c4-NF module (bug aects firmware versions 20.2.x and older) [DAL-3052]

18. Fix non-working custom DHCP options (bug aects firmware versions 20.2.x) [DAL-3071]

19. Fix corrupted configuration schema settings aer issuing a config revert CLI command (bug aects firmware versions 19.8.x through 20.2.x) (bug aects firmware versions 20.2.x and older) [DAL-3194]

20. Fixed issue where IPsec tunnel is built through default route instead of the configured local interface (bug aects firmware versions 20.2.x) [DAL-2889]

21. Removed unsupported LED options listed for LR54 units in their digidevice.led Python module options (bug aects firmware versions 20.2.x) [DAL-3250]

22. EX15W/6350-SR/6330-MX: Fixed client connectivity through Captive Portals (bug aects firmware versions 20.2.x) [DAL-3251]

23. Removed empty, blank row from Filesystem page in the web UI when listing the contents of an empty directory (bug aects firmware versions 20.2.x and older)

24. Fixed issue preventing users from downloading the ovpn client configuration file from the web UI on the Chrome browser (bug aects firmware versions 20.2.x and older) [DAL-3262]

96000472_C Release Notes Part Number: 93001323_T Page 18

SECURITY FIXES

The highest level vulnerability that has been fixed in this release is listed as a High CVSS score of 7.5

1. Update to openssh-8.2p1 (CVE-2019-6111 – CVSS Score: 5.8) [DAL-2860]

2. Fixed user escalation exploit through cloud.drm.sms configuration option (CVSS Score:6.0 Severity:Medium Matrix: AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N) [DAL-2887]

3. Fixed user escalation exploit through Label configuration setting for serial ports (CVSS Score: 6.0 Severity: Medium Matrix: AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N) [DAL-3011]

4. Fixed password exploit through web token (CVSS Score: 5.6 Severity: Medium Matrix:

AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N) [DAL-3069]

5. Update StrongSwan to 5.8.3 [DAL-2866]

6. Updated iputils to s20190709 and traceroute to version 2.1.0 [DAL-2338]

7. Upgrade Linux kernel to version 5.6 [DAL-2873]

8. Update ipset to version 7.6 [DAL-2853]

9. Update OpenSSL to 1.1.1g (CVE-2020-1967 - CVSS Score – 7.5 HIGH) [DAL-2977]

10. Prevent DOM XSS (cross-site scripting) exploit on Terminal page in the web UI (CVSS Score:

4.2 Severity: Medium Matrix: AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N) [DAL-3068]

11. Prevent user escalation exploit through netflash options in web UI (CVSS Score: 4.1 Severity: Medium Matrix: AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N) [DAL-3129]

12. Prevent use-aer-free exploit in CLI configuration of OpenVPN (CVSS Score: 5.7 Severity: Medium Matrix: AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N) [DAL-2963]

13. Prevent XSS vulnerability on the Filesystem page in the web UI where a directory name with HTML embedded in it would be rendered as HTML rather than plain text (CVSS Score:

4.6 Severity: Medium Matrix: AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:H/A:N) [DAL-3200]

14. Prevent unauthenticated users from downloading the ovpn client configuration file from the web UI (CVSS Score: 5.6 Severity: Medium Matrix: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) [DAL-3133]

VERSION 20.2.162.162 (April 17, 2020)

This is a recommended release

ENHANCEMENTS

1. Use ims instead of vzwims APN on Verizon SIMs for proper IMS registration [DAL-2883]

BUG FIXES

1. EX12: Fixed potential SIM switch failure on Telit LE910c4-NF modem caused by issuing an improper AT command when generating a support report [DAL-2883]

2. EX12/1002-CM04/1003-CM11: Fixed cellular high-speed throughput performance issues caused by CPU slowdown and timing of gathering cellular signal details [DAL-2802]

3. EX12/1003-CM11: Fixed inability to utilize SIM slot 2 of an device with a Telit LE910c4-NF or LM940 modem when the two SIM slots contained SIMs from diering carriers [DAL-2897 & DAL2986]

VERSION 20.2.162.157 (April 13, 2020)

This is a mandatory release

ENHANCEMENTS

96000472_C Release Notes Part Number: 93001323_T Page 19

1. Add MAC address is support report filename [DAL-2863]

2. Add firstnet-broadband APN for AT&T FirstNet SIMs [DAL-2876]

BUG FIXES

1. Fix health metrics warnings in Digi Remote Manager stating the local filesystem's /opt/ directory was full when it wasn't [DAL-2769]

2. Fixed missing Rx/Tx bytes in show modem CLI command output [DAL-2804]

3. Fixed issue preventing multicast packets from being sent through a network bridge [DAL-2774]

4. Fixed auto-reboot aer restoring configuration file through local web UI [DAL-2862]

5. Fixed inability to update modem firmware on Sierra EM7511 modules [DAL-2794]

6. Fixed improper modem firmware selection on Telit LM960 module when using a T-Mobile SIM [DAL-2376]

7. Fixed bug causing the configured Reboot Time to always occur in UTC instead of local timezone (issue present in older 20.2.162.x firmware versions)[DAL-2859]

8. Fixed bug preventing analyzer from being stopped in the CLI [DAL-2892]

SECURITY FIXES

1. Fix cross-site scripting (XSS) vulnerability on various Status pages in the local web UI [DAL-2818]

2. Fix cross-site scripting (XSS) vulnerability on Configuration page in the local web UI [DAL-2819]

3. Fix cross-site scripting (XSS) vulnerability on Terminal page in the local web UI [DAL-2823]

4. Fix cross-site scripting (XSS) vulnerability on File System page in the local web UI [DAL-2823]

5. Prevent script injection exploit on the Configuration Maintenance page in the local web UI [DAL2797]

6. Prevent unauthorized read/write access to /opt/config/ and /opt/boot when Interactive Shell is disabled [DAL-2865]

7. Prevent analyzer output from being saved outside of the /etc/config/analyzer directory [DAL2672]

VERSION 20.2.162.90 (March 11, 2020)

This is a mandatory release.

NEW FEATURES

1. Telit LM960 LTE CAT18 modem support [DALP-487]

2. Quectel EC25-AF LTE CAT4 modem support [DAL-1817]

3. Digi Remote Manager is set as the default portal for all DAL products [DALP-393]

1. Central management via Digi Remote Manager will not be enabled if you upgrade a device

running 19.11.x or older firmware that was previously syncing with an aView instance to

20.2.x or newer firmware, but can be enabled if desired. However, if the device running

20.2.x or newer firmware gets reset (e.g. if someone presses the Erase button on the device, or erases its config through the web UI or Admin CLI), the device will sync with Digi Remote Manager by default.

4. Added SureLinkTM default connectivity tests on all WAN interfaces [DALP-402]

1. SureLink tests (previously referred to as Active Recovery) will not be enabled by default if

you upgrade a device from 19.11.x or older DAL firmware to 20.2.x or newer firmware, but can be enabled if desired. However, if the device running 20.2.x or newer firmware gets reset (e.g. if someone presses the Erase button on the device, or erases its config through the web UI or Admin CLI), the default SureLink tests will be enabled as part of the default settings of the device.

96000472_C Release Notes Part Number: 93001323_T Page 20

5. Background Wi-Fi AP roaming/scanning [DALP-435]

1. New Background scanning configuration settings under Client WiFi entries

6. New web UI pages added under the System drop-down with enhanced serial details and configuration [DALP-465]

7. Support for firmware/OTA updates on Quectel modems [DALP-419]

8. AT&T LWM2M support for Telit LM940/LM960 modems [DAL-2476]

ENHANCEMENTS

1. Prevent access to web UI until HTTPS is ready [DAL-603]

1. Until the SSL cert is generated, users trying to access the web UI via standard http will

receive a redirect page stating that the cert is generating. Once the SSL cert is generated, users accessing the web UI via standard http will be automatically redirected to the https link

2. Show multiple bands for Telit modems if carrier-aggregation is supported and active [DAL-

2624]

3. Update wording of help text for WiFi Background Scanning config settings to better reflect their

usage [DAL-6673]

4. Added additional Telit-specific AT commands to mmcli-dump of support report

5. Improved Role-based access on local web UI, SSH, and remote access [DALP-415]

Includes new configuration options

· Allow shell - NOTE if this options is disabled and subsequently re-enabled, the DAL device will reset to default settings

· If disabled, the following changes are implemented

a) Forced all custom scripts to be sandboxed.

b) Script sandboxing uses a tighter profile that prevents /bin/sh access.

c) Sandbox custom firewall scripts to a profile that only allows iptables/ipset/arptables/ip and access to /proc and /sys files. Basically all things firewall related but very locked down. The commands are still run in the shell, but no external commands are available, so the script is limited to basic loops and variable access and no escaping.

· Under each user group under Authentication → Groups in the configuration settings:

· Admin access

· Access level

· Interactive shell access

6. New default break sequence ~b for serial connections [DALP-253]

7. Report MCC/MNC/CID/LAC values in health metrics to Digi Remote Manager [DAL-2502]

8. Add digicpn.gw12.vzwentp Verizon APN to fallback list [DAL-2283]

9. Change default OpenVPN Certificate Issuer details from Accelerated to Digi [DAL-2449]

10. Change default SSL certification from Accelerated to Digi [DAL-1336]

11. Dual-APN support on Sierra EM7511 modem [DAL-2311]

12. Include AT#RESETINFO and Quectel-specific AT commands in support report [DAL-2394]

13. Rename Configuration Management page under the System section of the web UI to

Configuration Maintenance [DAL-2549]

96000472_C Release Notes Part Number: 93001323_T Page 21

14. Added link under System drop-down in web UI to download the support report

15. Update the Digi Remote Manager link under the System drop-down in the web UI to open in a

new tab [DAL-2294]

16. Update the Authentication → Idle timeout setting to have a default value of 10-minutes

(previously the default was blank) [DAL-2292]

17. Send up to 4 IPsec tunnels' details as health metrics reported to Digi RM [DAL-1476]

18. Change the default behavior of the SIM failover alternative settings from None to Reset

modem [DAL-2687]

19. Renamed Signal Strength references to Signal Quality [DAL-2707]

20. On the Network Status page of the web UI, add Interface is up message in SureLink status

details

21. Add service.qcdm.modem.device and service.qcdm.modem.interface_number config

options for specifying QCDM/QXDM port for a modem [DAL-2497]

SECURITY FIXES

1. Update to Linux kernel version 5.4.8

2. Removed plain-text passwords displayed in the output of the show config CLI command [DAL2513]

3. Added backo timer when maximum number of SSH/UI login retries is exceeded [DAL-2590]

4. Update to Python version 3.6.10 [DAL-2534]

5. Update tcpdump to version 4.9.3 (CVE-2017-16808 CVE-2018-14468 CVE-2018-14469 CVE-201814470 CVE-2018-14466 CVE-2018-14461 CVE-2018-14462 CVE-2018-14465 CVE-2018-14881 CVE2018-14464 CVE-2018-14463 CVE-2018-14467 CVE-2018-14463 CVE-2018-10103 CVE-2018-10105 CVE-2018-14879 CVE-2018-14880 CVE-2018-16451 CVE-2018-14882 CVE-2018-16227 CVE-201816229 CVE-2018-16301 CVE-2018-16230 CVE-2018-16452 CVE-2018-16300 CVE-2018-16228 CVE2019-15166 CVE-2019-15167) [DAL-2611]

6. Update libpcap to version 1.9.1 [DAL-2611]

7. Update e2fsprogs to version 1.45.5 (CVE-2019-15161 CVE-2019-15162 CVE-2019-15163 CVE-201915164 CVE-2019-15165 CVE-2017-16808) [DAL-2611]

8. Update openvpn to version 2.4.4 (CVE-2017-12166) [DAL-2614]

9. Update libldns to version 1.7.1 (CVE-2017-1000231 CVE-2017-1000232) [DAL-2613]

10. Update libxml2 to version 2.9.10 (CVE-2018-9251 CVE-2018-14567) [DAL-2612]

11. Restrict /etc/config/ to admin-only users [DAL-1396]

12. Remove plaintext password from RADIUS debug logs [DAL-2640]

13. Prevent Framebusting JavaScript click-jacking [SEC-494]

14. Prevent users from gaining elevated shell access through custom scripts [DAL-2628]

15. 5400-RM only: Update FIPs products to openssl version 1.0.2u [DAL-2342]

16. Update libcurl to version 7.69.0 (CVE-2019-15601) [DAL-2732]

17. Update pppd to version 2.4.8 (CVE-2020-8597) [DAL-2732]

18. Fix elevated root access through custom scripts when no-shell is enabled [DAL-2628]

19. Obfuscate sensitive device configuration settings [DAL-1388]

BUG FIXES

96000472_C Release Notes Part Number: 93001323_T Page 22

1. Fixed bug where SureLinkTM DNS tests took longer than the configured timeout to complete

[DAL-2702]

2. Fixed SSL validation bug preventing modem OTA updates [DAL-2547]

3. Fixed bug where WiFi hotspot intermittently worked [DAL-2547]

4. Fixed bug where newly-created network Bridges would not be listed as options under the Device drop-down for network interfaces [DAL-2575]

5. Fixed bug where the primary/active interface was not reported correctly to Digi aView when the DAL device was configured for load-balancing between two WAN interfaces [DAL-2568]

6. Fixed bug where a device configured with multiple SSH keys would only honor the last SSH key in the list [DAL-2506]

7. Display the active cellular band for Quectel modems [DAL-2298]

8. Fixed bug where the web UI would display bytes transmitted/received for network interfaces as N/A [DAL-2295]

9. Fixed bug where the web UI wouldn't show IP information for client devices connected to an OpenVPN server running on the DAL device [DAL-2251]

10. Fix formatting output of show config CLI command when the configuration settings contained an array [DAL-2594]

11. Fix bug when adding a new element to an array in the config mode of the CLI [DAL-2594]

12. Fix bug where CLI ping and traceroute commands would ignore any interface specified in the command [DAL-2605]

13. Fix bug where SureLinkTM default tests would continue to pass if cellular modem lost its active data connection [DAL-2609]

14. Fix a bug handling certificate files with spaces

15. Fixed padding issue with downloading SCEP CA certificates [DAL-2212]

16. Fixed rare issue with passthrough ancillary DNS not resolving if ancillary DNS redirect issue was disabled

17. Fixed issue with active serial logins when a serial-related configuration change was applied to the DAL device [DAL-2696]

18. EX15/EX15W only: Fix unstable Gigabit Ethernet connections when device is in passthrough mode [DAL-2642]

19. Fix broken SCP/SFTP file transfers when idle_timeout was set to a value other than nil [DAL985]

20. Fix occassional issue where expired DHCP leases were not cleared [DAL-2310]

21. Fixed output of show modem CLI command when cellular modem re-initializes

22. Fix potential initialization issues aer updating firmware [DAL-2762]

VERSION 19.11.72.85 (January 21, 2019)

This is a recommended release.

NEW FEATURES

1. Added new digidevice.led python module for controlling LEDs on the device [DAL-2303]

96000472_C Release Notes Part Number: 93001323_T Page 23

ENHANCEMENTS

1. Include each interface's MTU to the output of the show route verbose command in the

Admin CLI [DAL-2378]

BUG FIXES

Unless otherwise stated, any bugs mentioned here only aect earlier versions of 19.11.x

1. Fixed bug preventing users from configuring an IPsec tunnel with a remote network of

0.0.0.0/0 [DAL-2253]

2. Fixed timing issue between Active Recovery tests and reloading the devices firewall rules,

which if done in the wrong order could result in the device not sending traic through the validated connection [DAL-2000]

3. Fixed bug where the local web UI would show a *N/A* value for an interface's bytes

transmitted/received [DAL-2295]

4. Fixed slowdown in Wi-Fi bridge/repeater mode due to GRO (Generic Receive Oload) being

enabled [DAL-2353]

5. EX15/EX15W only: Fixed bug preventing VLAN setups from working (bug present on all

firmware versions older than 19.11.72.85) [DAL-2264]

VERSION 19.11.72.58 (December 6, 2019)

This is a mandatory release.

NEW FEATURES

1. Re-themed web UI with improved navigation and functionality. New functionality includes:

1. The ability to view local filesystem contents [DAL-2110]

2. Help-text on login page

3. Quick-config access on status pages

4. new Dashboard overview page

5. Mobile-friendly UI

2. New network analyzer and packet capture tool, included in in both the Admin CLI and web UI [DAL-1575]

3. Added options under the Network->Modem section of the device configuration to setup SIM slot prioritization and SIM slot failback [DALP-287]

4. Added new Preferred tunnel option under VPN->IPsec->Tunnels to configure a tunnel to be a primary or failover tunnel [DAL-1478]

5. Add new DHCP Hostname option for IPv4 and IPv6 settings under the Network->Interfaces

section of the configuration to allow the device to advertise its hostname to the DHCP server upon connection (disabled by default) [DALP-427]

6. Added ability to receive encrypted SMS commands from Digi Remote Manager [DALP-270]

7. Add support for the Telit LM960A18 LTE CAT18 module [DAL-1905]

8. Add support for Sierra Wireless EM7511 LTE CAT18 module [DAL-1414]

9. Add support for Quectel EG25-G LTE CAT4 module [DALP-339]

10. Add support for Quectel EG06 LTE CAT6 module [DALP-403]

11. Add Python support on all products (previously only available on the IX14 and Connect IT 16/48) [DAL-1907]

12. Add system disable-cryptography Admin CLI command to configure a device for nocrypt mode [DALP-491]

96000472_C Release Notes Part Number: 93001323_T Page 24

13. Once a device is set for nocrypt mode, a user must press the Erase button to reset the device to factory default settings to disable nocrypt mode and restore the device back to standard operation

14. Add show usb Admin CLI command [DAL-2029]

ENHANCEMENTS

1. Default user changed from root to admin [DAL-936]. Once a device is upgraded to 19.11.72.58 or

newer firmware

1. If you do have an admin user configured, it will not be touched by the update

2. If you do not have an admin user configured, a new one will appear. It will have the

same credentials/settings as the root user

3. If you had a root user configured (e.g. not factory defaults) it will be preserved to

maintain existing user access

4. Restoring the device to factory defaults aer update will result in only the admin user. If

you have a root user and do a factory default, you have to login with the admin user instead of root, using the same default password printed on the bottom of the device

2. Added the ability to push OpenVPN routes in subnet mode [DAL-2224]

3. Add cellular IMEI and firmware version, along with bluetooth and accelerometer info to show manufacture command in the Admin CLI [DAL-2030]

4. Add the % measurement value to the CPU usage in the show system output of the Admin CLI

5. Device is passthrough mode with an IPv6 connection now honors and utilizes the MTU in IPv6 Ras

6. When using Verizon SIMs, utilize the OMADM process to auto-discover the APN [DAL-1371]

7. Enhance modem firmware update tool to support multiple modem installations [DAL-2148]

8. Created new Edge firewall zone to prevent the device's DNS services from being advertised on the network, which still allowing SSH and web UI access [DAL-2085]

9. Removed 192.168.210.254 Default IP gateway [DAL-2095]

10. Added support for sending RFC2136 compatible DNS updates to external DNS servers [DALP446]

11. Add new options under VPN->IPsec->Tunnels->Local endpoint->ID->ID Type for using the device's MAC address or serial number as its local endpoint ID [DALP-437]

12. Updated the filename of the support report generated through the web UI or CLI to include the Digi name [DAL-1434]

SECURITY FIXES

1. Updated OpenSSL to version 1.1.1d [DALP-304]

BUG FIXES

1. EX15W only: Fixed slow performance of Wi-Fi driver (issue present on 19.8.1.61 and older

firmware) [DAL-2181]

2. EX15W only: Fixed bug where WiFi clients would be disconnected in areas with congested Wi-Fi

channels [DAL-2178]

3. Fixed bug where Telit LM940 module inside the 1003-CM11 CORE modem could disconnect and

not recover due to it starting up in the wrong mode or its serial ports not responding [DAL-1843]

4. Fixed bug where a device in passthrough mode drops received packets from cellular WAN larger

than its MTU (bug present in firmware versions 19.5.x through 19.8.1.61) [DAL-2137]

96000472_C Release Notes Part Number: 93001323_T Page 25

5. Fixed bug with timing of RCI callbacks from Digi Remote Manager (bug present in firmware

versions 19.8.1.61 and older) [DAL-2091]

6. Fixed bug where RX/TX data usage metrics reported to DRM could be mistakenly calculated as a

negative sum [DAL-1972]

7. Fixed crash in IPsec configuration with more than 6 for IKE Phase 1 proposals or more than 10

IKE Phase 2 proposals [DAL-2066]

8. Fixed bug in reporting the reboot counter metric to DRM [DAL-1932]

9. Fixed bug where persistent system logs could not be remotely accessed through DRM [DAL-

2060]

10. Fixed bug where DRM would always shows the device's connected method as ethernet [DAL-

1993]

11. Prevent users from selecting non-production firmware versions when perform modem OTA

updates [DAL-1662]

12. Fixed bug preventing Linux clients from querying a DAL device running a NTP server [DAL-1815]

96000472_C Release Notes Part Number: 93001323_T Page 26

VERSION 19.8.1.61 (October 22, 2019)

This is a recommended release.

ENHANCEMENTS

1. Skip auto-APN detection when using Telus SIM cards [DAL-1928]

2. Add QCDM service for accessing QXDM ports of Qualcomm-based modems [DAL-1904]

3. Add microcom tool [DAL-1872]

BUG FIXES

1. Fixed bug in runt where the boot version was reported incorrectly (bug present in firmware version 19.8.1.43) [DAL-1828]

2. Fixed registration delays on devices with Telit modems using Sprint SIM cards (bug present in firmware versions 19.8.1.43 and older) [DAL-1872]

3. Fixed stability issues with 1003-CM11 modem (bug present in firmware versions 19.8.1.43 and older) [DAL-1843]

4. Fixed bug preventing devices using a 1002-CM06 modem (Sierra MC7455) with a Telus SIM from loading the Telus carrier-firmware onto the modem (bug present in firmware versions 19.8.1.43 and older) [DAL-1823]

5. Fixed memory leak causing a DAL device in passthrough mode to stop responding to ARP requests on its LAN port (bug present in firmware versions 19.8.1.43 and older) [DAL-1686]

6. Fixed bug preventing SSH keys from being used to authenticate when establishing a SSH session to the DAL device (bug present in firmware version 19.8.1.43) [DAL-1742]

7. EX15/EX15W only: Fixed bug where a DAL device in passthrough mode would ignore any custom gateway/netmask settings in its configuration settings (bug present on firmware version

19.8.1.43) [DAL-1454]

8. EX15/EX15W only: Fixed bug preventing a modem OTA firmware update from recovering if the update was interrupted, such as from a power loss or reboot (bug present on firmware versions

19.8.1.43 and older) [DAL-2051]

VERSION 19.8.1.43 (August 30, 2019)

This is a mandatory release.

NEW FEATURES

1. Telit LE910c4-NF modem support

2. WAN passthrough, allowing for multi-WAN passthrough setups [DALP-163 & DAL-959]

· As a result, passthrough settings are not under the Modem section anymore, and instead are by default listed under the Network-Interface->LAN section for devices with passthrough enabled by default. To change a device defaulting in passthrough mode to router mode, simply change the "Network->Interfaces->LAN->Interface type" from "IP Passthrough" to "Ethernet", and then you'll see the normal router-mode configurations options available.

3. Auto-generated CLI documentation [DAL-1091]

96000472_C Release Notes Part Number: 93001323_T Page 27

ENHANCEMENTS

1. ModemManager update to version 1.10.2 [DAL-885]

2. Add verbose system log error messages when issues are encountered posting device health metrics to Digi Remote Manager [DAL-203]

3. Add system log when 1003-CM11 modem (LM940) carrier aggregation is disabled due to temperature limits

4. Include Telit carrier aggregation details in device support report [DAL-1435]

5. Add support for python RCI/SCI data_service callbacks and requests from Digi Remote Manager [DAL-1003]

6. Implement protocol to be used for all local communication between cc_acld and connector clients [DAL-203]

7. Include SIM locked/ready status in show modem CLI output [DAL-1320]

8. Update show modem CLI output formatting to have a summary mode that can be used to display the status of the modem(s) in the device, and the verbose output to display additional information for each modem, including the SIM, registration and attachment status [DAL-1184]

9. Improved formatting in the show route CLI output, including finer distinction of static routes [DAL-1176]

10. Include policy and connection details in show ipsec CLI output, along with improved status details [DAL-1190 & DAL-1174]

11. Improve labeling in output of the show network interface X CLI command

12. Show OpenVPN client list and rx/tx bytes in show openvpn CLI output [DAL-1192]

13. Add filtering options in show log CLI command [DAL-1181]

14. Add CPU usage, device temperature (if available), device description, and location details in show system CLI output [DAL-1172]

15. Updated local web UI logout link to list the name of the logged in user [DAL-1142]

16. Renamed the section of central management options from config to cloud [DAL-1255 & DAL1256]

17. Added configuration option to have DHCP leases file persistent or clear across reboot [DAL1196]

18. Update CLI table formatting to double space & blank fields [DAL-1186]

19. Add strongswan bypass-lan plugin to allow 0.0.0.0/0 remote IPSec networks [DAL-1007]

SECURITY FIXES

1. Update Linux kernel to version 5.1.14 [DAL-1076]

2. Busybox update to version 1.31.0 [DAL-1161]

· The new busybox shell environment no longer allows local variable statements such as the following:

local ip_addr='1.2.3.4'

· and instead the variable must be set without the local option, such as: ip_addr='1.2.3.4'

· includes update to httpd webUI

3. Remove option to change Wi-Fi country code on US-products [DAL-1402]

96000472_C Release Notes Part Number: 93001323_T Page 28

4. Update dnsmasq2 to version 2.80 to address DNS cache snooping (CVE-2017-15107) [DAL-1386]

5. Update conntrack-tools to version 1.4.5

6. Update libnetfilter_conntrack to version 1.0.7

7. Update libmnl to version 1.0.4

8. Update bind to version 9.14.2 [DAL-1338]

9. Update iptables to version 1.8.3

10. Update libqmi to version 1.23.1 [DAL-885]

11. Update libmbim to version 1.18.0 [DAL-885]

12. Update stunnel to version 5.54 [DAL-1162]

13. Update quagga to version 1.2.4 (CVE-2016-1245 and CVE-2017-5495) [DAL-1160]

14. Update tar to version 1.32 [DAL-1159]

15. Add Digi Remote Manager serial port configuration to all DAL products with managed serial ports (previously only available on Connect IT products) [DAL-1213]

16. Remove unused user passwords from /etc/password [DAL-1316]

BUG FIXES

1. Fixed bug causing loss of cellular connectivity on devices in passthrough mode with IPSec tunnels built through the cellular passthrough connection (issue present on firmware versions

19.5.x) [DAL-1612]

2. Fixed bug where an apostrophe in a WiFi's WPA pre-shared key would result in the SSID not being broadcasted [DAL-1633]

3. Fix issues where Telit QMI modems would disconnect from USB hub and not recover [DAL-1321/ DAL-1556]

4. Fix issues where QMI-based modems would disconnect from cellular network and not automatically re-attach (bug present in 19.5.x firmware) [DAL-1375]

5. Fix issue where logging out of the local web UI from the Terminal page would result in the leside navbar still showing the menu instead of the Log in link [DAL-863]

6. Fix issue where client devices sending a DHCP request over WiFi to an external server would fail due to the ARP broadcast reply packets having the wrong source MAC address [DAL-1526]

7. Fix issue where a DHCP relay endpoint couldn't be setup through modem or IPSec interfaces [DAL-956]

8. Close any open sessions on a serial port when configuration update changes the mode of the serial port

9. Fix bug in show network CLI output when both IPv4 and IPv6 networks were available

10. Fix bug where show network CLI command would show incorrect output when no SIM was present

11. Fix bug in returning dynamic-only ref_enums in device config to Digi Remote Manager [DAL1323]

12. Fix service serversocket binding when cc_acl restarts [DAL-1411]

13. Fix reloading of displayed configuration options when enabling/disabling aView central management in the local web UI [DAL-834]

14. Fix reloading of the Dashboard page when enabling/disabling Intelliflow in the local web UI [DAL-780]

96000472_C Release Notes Part Number: 93001323_T Page 29

15. Reset LEDs displayed during reboot instead of freezing the LEDs to show the last known device state before the reboot [DAL-886]

16. Fix bug where Digi Remote Manager RCI thread blocks indefinitely waiting for config write lock [DAL-573]

17. Fix bug where ls command in the admin CLI required a terminating / on the path [DAL-1251]

18. Fix output of show wifi CLI output to show which physical radio a WiFi-as-WAN client is on, instead of a device name [DAL-1171]

19. Fix labeling and format errors in show wifi CLI output

20. Fix multiple SSID traversal with WiFi-as-WAN client setups [DAL-1246]

21. Fix bug with show openvpn name CLI command output [DAL-1191 & DAL-1192]

22. Fix bug with carrier, plmn, and modem status output in show modem CLI command

23. Fix column spacing and lower-casing consistency in show arp CLI output [DAL-1173]

24. Fix parsing of carrier names when posting cellular modem details to Digi Remote Manager [DAL1553 & DAL-1326]

25. Fix error showing signal strength of WiFi network(s) when the signal was 0% [DAL-1404]

26. Limit decimal numbers reported to Digi Remote Manager to six decimal places [DAL-807]

27. 6310-DX only: Fixed CPU slowdown due to kernel update (bug present on firmware versions

19.5.88.59 - 19.8.1.30) [DAL-1687]

28. Fixed bug with Sierra MC73xx-series cellular modules in 6300-CX and 1002-CM03 products where the modem would require a power cycle aer upgrading the firmware of the modem in order to reconnect [DAL-1716]

29. Fixed issue with Telit LE910-NAv2 cellular modules in 1002-CM04 CORE modems not receiving SMS messages while cellular data session was active/online (bug present on firmware versions

19.8.1.30 and older) [DAL-1634]

30. Add Telus m2m APNs to fallback list [DALP-452]

VERSION 19.5.88.81 (June 26, 2019)

This is a mandatory release.

NEW FEATURES

1. Added support for getting NMEA location information from a UDP port (default port 2948) [DAL1084]

SECURITY FIXES

1. Kernel patch for SACK attack (CVE-2019-11477). For more information, see https://www.digi.com/resources/security

BUG FIXES

1. Fixed bug where IPSec tunnel would cause a system crash when the tunnel was established over QMI-based modems [DAL-1170]

2. Fixed aView tunnel issue where the tunnel drops over time and remote commands fail [DAL776]

3. Fixed bug preventing QMI-based Telit modems (CAT1 and CAT-M1 modules in particular) from connecting with vzwstatic APNs (bug present on 19.5.88.59 firmware)

96000472_C Release Notes Part Number: 93001323_T Page 30

4. Fixed bug where the 1003-CM modem (LTE CAT11 Telit LM940) would shut-down and not recover its cellular connection if temperatures were too high

5. Fixed bug where the cellular modem occasionally would not initialize properly on devices with a large number of serial ports

VERSION 19.5.88.59 (May 24, 2019)

This is a mandatory release.

NEW FEATURES

1. New CLI with more commands/consistency [DAL-773]

2. Enable Multicast DNS service on all platforms [DAL-972]

3. Implement RADIUS authentication support for users [DAL-903]

4. Add NTP Server option (disabled by default) [DAL-340]

5. Add sp server to all DAL platforms [DAL-859]

6. ECC Custom Cert Support [DAL-764]

ENHANCEMENTS

1. Improvements to CLI show serial [DAL-1175]

2. Improved reliability of security chip from userspace access due to wakeup

3. Send interface name with cellular status events [DAL-916]

4. Updated ipset version to 7.1 [DAL-917]

5. Update to newest shadow-4.6 package

6. TACACS+ authorization for more server implementations [DAL-933]

7. stunnel updated to version 5.52 [DAL-915]

8. Additional health metrics required for DRM 3.0 [DAL-810]

9. Add support for Telit ME910C1_WW

10. Direct remote serial port access via WebUI (shellinabox) [DAL-775]

11. Dual-APN Support on Telit LE910-NAv2 (1002-CM04) [DAL-818]

12. Improved OpenVPN operation and customization [DAL-798]

13. Update to linux-5.0 [DAL-842]

14. Add description field to system group [DAL-581]

15. Upgrade MC7455 to 02.30.01.01 (SWI9X30C 2.0 Release 23) added latest Sierra firmware for MC7455 and MC7430 [DAL-759]

16. Add an additional APN for Bouygues in France [DAL-840]

17. Improved Telit location reporting [DALP-226]

18. Improved collection of network LINK and Speed reporting

19. Implement Digi Remote Manager health metrics [DAL-707]

20. Added latest Telit LE910_XX_V2 firmware md5 sums

SECURITY FIXES

1. Update to openssl-1.0.2r (security) CVE-2019-1559

96000472_C Release Notes Part Number: 93001323_T Page 31

2. busybox: fix for CVE-2014-9645 [DAL-1159]

3. busybox: fix for CVE-2017-16544 [DAL-1159]

4. libcurl: update to 7.64.1 (CVE-2017-8816, CVE-2017-8817, CVE-2017-8818, CVE-2018-0500 CVE2018-1000300, CVE-2018- 1000301, CVE-2018-14618, CVE-2018-16839, CVE-2018-16840, CVE2018-16842 CVE-2018-16890, CVE-2019-3822, CVE-2019- 3823)

5. libcurl: fixes for CVE-2018-1000007, CVE-2017-8818, CVE-2017-8816, CVE-2018- 1000005 Zebra

0.99.24: fix for CVE-2016-1245

6. busybox fixes for CVE-2016-6301, CVE-2016-2148, CVE-2017-16544, CVE-2016-2147, CVE- 201715874, CVE-2014-9645, CVE-2011-5325 [DAL-1159]

7. pppd update to 2.4.7 (CVE-2014-3158, CVE-2015-3310)

8. Kernel patch to resolve CVE-2019-11815

BUG FIXES

1. Fix issue on 6300-CX preventing WebUI based firmware update up to 1 in 3 tries [DAL-1194]

2. Remote cloud connections were locked until while long running commands completed [DAL1177]

3. Fix major issue with multiple IPsec policies When two remote subnets are configured in 2 Policies for an IKEv2 tunnel only Policy 2 traic will pass [DAL-934]

4. Corrections to CLI show route [DAL-1176]

5. CLI show system output included outdated current time and uptime [DAL-1172]

6. Errors on console during WebUI firmware update [DAL-1140]

7. Faster fetching of signal attributes for LE910_NA_V2 modem

8. Fixed bug with parsing out MCC/MNC from AT#RFSTS response (LE910NAv2)

9. Fixed cloud connector crash on shutdown

10. Fixed process management issue with cloud connector and configuration

11. Check for configured serial ports in show serial command

12. Fixed bug where show serial option is visible for devices with no serial ports [DAL-1114]

13. Web GUI input validation rewording to be consistent

14. DAL-CLI: fix typos in descriptions, titles, and minimums

15. WebUI: Ensure correct versions of static files are loaded (using md5hash)

16. Serial ports were mistakenly listed under Network for metrics and state

17. Metrics had incorrect title, "System" in descriptors/state.

18. ModemManager: Telit error reporting patch

19. Intelliflow crash fix (divide by 0 on some datasets)

20. Intelliflow improve error reporting

21. System maintenance tasks do not run during duration window if reboot time is set [DAL-960]

22. SPIKE: Asynchronous CLI under DRM [URMA-1996]

23. Firmware update through WebUI doesn’t recover when some other page is clicked during the update process [DAL-869]

24. Signal/dbm/percentage inaccurate on Verizon 2G and 3G connections with MC7354 [DAL-786]

25. Verify and fix dual APN support on the LM940 [DAL-742]

26. Unable to establish dual-APN connection with AT&T using Sierra modem [DAL-813]

96000472_C Release Notes Part Number: 93001323_T Page 32

27. Telit: Added logic to protect new C1_AP modems from being bricked [DAL-744]

28. Telit: Added firmware check sum for version 414 of LE910-EU1 [DAL-822]

29. Update Telit LE910C1-NS modem firmware from 25.00.244 to 25.00.246 [NPIX-939]

30. Fix MTU support for PPP based connections

31. Added md5 sums for the latest Telit firmware for LE910_NA1

VERSION 19.1.134.81 (Feb 14, 2019)

This is a mandatory release.

NEW FEATURES

1. Support for sending device health metrics to DRM

2. PPPoE via WAN Ethernet support

3. Added option to upgrade Telit cellular modules to custom firmware images

The custom firmware image must be a .tar.gz compressed file include the .bin firmware image itself and a .md5 file containing the md5sum output for the .bin image

4. Support for the Telit LM940 LTE cat11 module, including OTA firmware updates and carrier switching

5. Initial support for the Sierra EM7430 LTE cat6 module

6. Added 2-factor authentication support to all devices (previously only available on 5400-RM and 635x-SR products)

ENHANCEMENTS

2. Added support for upgrading Telit LE910_XX modules to the latest xx5 firmware

3. Update aView defaults to tunnel to ipsec.accns.com endpoint for remote commands

4. Added 18327.mcs and 13631.mcs AT&T APNs

5. Added intra.vzwentp Verizon APN

6. Add Network->Modem options to basic options when central management is enabled

7. Added ability to set custom DHCP options under the IPv4 -> DHCP server -> Advanced settings configuration options for a network interface

8. Updated entries created under the System -> Scheduled tasks -> Custom scripts to be enabled by default. Previously, newly created custom scripts would be disabled by default

9. Updated custom SNMP MIB to include OIDs for all available cellular modem metrics (RSRP, RSRQ, RSSI, MCC, MNC, etc.)

10. Added GRE and IP-tunnel details to the Tunnels tab on the Status page of the local web UI

11. Updated the progress bar shown during modem firmware updates on the System page of the local web UI to change to red if the firmware update fails

12. Added Telit-specific AT commands to mmcli-dump file included in a support report generated from the System page of the local web UI

13. Allow atcmd tool in the Admin CLI to run whether ModemManager is enabled or disabled

SECURITY FIXES

96000472_C Release Notes Part Number: 93001323_T Page 33

1. Updated ModemManager to version 1.10.0

2. Updated wget to version 1.19.5

3. Updated strongswan from version 5.5.3 to version 5.7.1

4. Updated openssl to version 1.0.2q

5. Updated pcre to version 8.42

6. Updated glib to version 2.57.1

7. Update to Linux kernel 4.19.13

BUG FIXES

1. Fixed bug where firewall setup would crash if multiple modem interfaces were configured in the settings of the device

2. Fixed bug where OTA updates to Telit modules could be interrupted by loss of power, but would not resume aer power was restored

3. Fixed bug where 2G location details were not stored or reported properly

4. Fixed bug where location details for Telit modems were not stored or reported properly

96000472_C Release Notes Part Number: 93001323_T Page 34

Digi EX12, EX12-PR, EX15, EX15W, EX15-PR User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Digi Accelerated Linux (DAL) Release Notes

Digi Accelerated/Enterprise Routers

Version 21.2.39.67

INTRODUCTION

SUPPORTED PRODUCTS

KNOWN ISSUES

UPDATE BEST PRACTICES

TECHNICAL SUPPORT

CHANGE LOG

VERSION 21.2.39.67 (February 27, 2021)

FEATURES

ENHANCEMENTS

BUG FIXES

SECURITY FIXES

VERSION 20.11.32.168 (December 23, 2020)

ENHANCEMENTS

BUG FIXES

VERSION 20.11.32.138 (December 2, 2020)

FEATURES

ENHANCEMENTS

BUG FIXES

SECURITY FIXES

VERSION 20.8.22.32 (August 28, 2020)

FEATURES

ENHANCEMENTS

BUG FIXES

SECURITY FIXES

VERSION 20.5.38.58 (July 20, 2020)

ENHANCEMENTS

BUG FIXES

SECURITY FIXES

VERSION 20.5.38.39 (May 29, 2020)

FEATURES

ENHANCEMENTS

BUG FIXES

SECURITY FIXES

VERSION 20.2.162.162 (April 17, 2020)

ENHANCEMENTS

BUG FIXES

VERSION 20.2.162.157 (April 13, 2020)

ENHANCEMENTS

BUG FIXES

SECURITY FIXES

VERSION 20.2.162.90 (March 11, 2020)

NEW FEATURES

ENHANCEMENTS

SECURITY FIXES

BUG FIXES

VERSION 19.11.72.85 (January 21, 2019)

NEW FEATURES

ENHANCEMENTS

BUG FIXES

VERSION 19.11.72.58 (December 6, 2019)

NEW FEATURES

ENHANCEMENTS

SECURITY FIXES

BUG FIXES

VERSION 19.8.1.61 (October 22, 2019)

ENHANCEMENTS

BUG FIXES

VERSION 19.8.1.43 (August 30, 2019)

NEW FEATURES

ENHANCEMENTS

SECURITY FIXES

BUG FIXES

VERSION 19.5.88.81 (June 26, 2019)

NEW FEATURES

SECURITY FIXES

BUG FIXES

VERSION 19.5.88.59 (May 24, 2019)

NEW FEATURES

ENHANCEMENTS

SECURITY FIXES

BUG FIXES

VERSION 19.1.134.81 (Feb 14, 2019)

NEW FEATURES