Digi EX12, EX12-PR, EX15, EX15W, EX15-PR User Manual

DIGI INTERNATIONAL

9350 Excelsior Blvd, Suite 700
Hopkins, MN 55343, USA
+1 (952) 912-3444 | +1 (877) 912-3444

www.digi.com

Digi Accelerated Linux (DAL) Release Notes

Digi Accelerated/Enterprise Routers

Version 21.2.39.67

INTRODUCTION

This is a major firmware release for all DAL supported products. This is a mandatory production
firmware release.

SUPPORTED PRODUCTS

· Digi EX12/EX12-PR

· Digi EX15/EX15W

· Digi EX15-PR/EX15W-PR

· AcceleratedConcepts 5400-RM

· AcceleratedConcepts 5401-RM

· AcceleratedConcepts 6310-DX

· AcceleratedConcepts 6330-MX

· AcceleratedConcepts 6335-MX

· AcceleratedConcepts 6350-SR

· AcceleratedConcepts 6355-SR

KNOWN ISSUES

· Cellular metrics are not shown under the Settings → Status → Communications section of Digi
Remote Manager, but are shown under the Data Streams for the device. [DALP-768]

· Health metrics are uploaded to Digi Remote Manager unless the Monitoring > Device Health >
Enable option is de-selected and either the Central Management > Enable option is de-

selected or the Central Management > Service option is set to something other than Digi
Remote Manager [DAL-3291]

· Wired Internet connectivity is interrupted during cellular modem firmware updates [DAL-4647]

· The cellular Access technology configuration option is ignored if carrier PLMN locking is

enabled [DAL-4693]

UPDATE BEST PRACTICES

Digi recommends the following best practices:

1. Test the new release in a controlled environment with your application before you update

production devices.

96000472_C Release Notes Part Number: 93001323_T Page 1

2. Unless otherwise noted, apply updates in the following order:

a. Device firmware
b. Modem firmware
c. Configuration
d. Application

Digi recommends Digi Remote Manager or Digi aView for automated device updates. For more
information, follow the instructions for Digi Remote manager or Digi aView in the links below:

1. Instructions for Digi Remote Manager:

https://www.digi.com/resources/documentation/digidocs/90001436-13/default.htm#tasks/t_update_device_firmware.htm

2. Instructions for Digi aView:

https://www.digi.com/resources/documentation/digidocs/acl-kb/default.htm#Subsystems/kb-6300-cx/update-firmware.htm

If you prefer manually updating one device at a time, follow these steps:

1. Download the firmware file from the Digi firmware support page.

2. Connect to the device’s web UI by connecting your PC to the LAN Ethernet port of the device

and then going to http://192.168.210.1.

3. Select the System tab on the top navigation bar of the page, then select Firmware Update.

4. Select the Browse button in the Upload file section.

5. Browse for and select the downloaded firmware file.

6. Click the Update Firmware button.

TECHNICAL SUPPORT

Get the help you need via our Technical Support team and online resources. Digi oers multiple
support levels and professional services to meet your needs. All Digi customers have access to
product documentation. firmware, drivers, knowledge base and peer-to-peer support forums.

Visit us at https://www.digi.com/support to find out more.

CHANGE LOG

Mandatory release = A firmware release with a critical or high security fix rated by CVSS score.

For devices complying with ERC/CIP and PCIDSS, their guidance states that
updates are to be deployed onto device within 30 days of release

Recommended release = A firmware release with medium or lower security fixes, or no security fixes

Note that while Digi categorizes firmware releases as mandatory or recommended, the decision if
and when to apply the firmware update must be made by the customer aer appropriate review
and validation.

VERSION 21.2.39.67 (February 27, 2021)

EX12-21.2.39.67.bin

SHA512:

d1cd96a3a0004874209ad87acef74cd80ae695eda4d614c7ee07e54fa4635980cdd8d13c
d28c045e8e9b8a5aac18e509032580c8b7f9a2f64f01f2c54bc65fd3

MD5: 6f422c1c3f1324b5c58c72b23c4d0e8d

EX12-PR-21.2.39.67.bin

SHA512:

e8b6eb1e2ebd4f810e103138fdd8fa9e0a3cb3ee9a613a635984e28fded6a873fa2781211
4628adfc63f5310e8114ee48de0d3959ededf6c1c3d2962d05653d5

96000472_C Release Notes Part Number: 93001323_T Page 2

MD5: 212e450aa6eec6e6ef76d4b39553e3e9

EX15-21.2.39.67.bin

SHA512:

ca00f52fd57c901115fb360ec22b2591de9b7eca542b1a14c8385d00423a2f9dadbcc68a0
a6d5067a7568d77199a361d68609431ccd5fa2ebdb075587bb16d77

MD5: b4db0fb96d39ca1742c1a24d653b479c

EX15-PR-21.2.39.67.bin

SHA512:

a16fef890859003ef2f5e39b453a3425b84358be6c6427a17af69cd77179097aa5a4a0932
6c696ec9b238dc511f8e3a66f2b6fae416eb051504b9a8ddf677e86

MD5: 8323ef118600a4e1a9da481095ee6d57

EX15W-21.2.39.67.bin

SHA512:

a252302c2c6208dd243e1088b87e5e69d656586dc67060043303fcd7dbc07d0a9bf47840
42d974dd6c4975d115e559b7bf6be593c1587e398e0f8d2a3976d150

MD5: ad4807daf027489f586a5db03391963d

EX15W-PR-21.2.39.67.bin

SHA512:

7a5f2d2009d4667d6275f7d70733d59359a608dae7983cb17073877f9bf0c324c6736faf5e
3384248f3f5eec6e6be79bb0ecb19c9f660f69114735f42ccbbaf0

MD5: 956d2134b32efc2522a7796bc732b072

5400-RM-21.2.39.67.bin

SHA512:

5fd6aaa4461cfadf8e99357453cd98eeb37f87e4db5c7b86876f15963e646ef8cf8a3ceaf20
83810e074f17a46d47dff83a1bb697914ee7519cd182b432a5dd7

MD5: e7f807e658ad07554295ad5e3ab483e1

5401-RM-21.2.39.67.bin

SHA512:

bdb09db0a6dcd78caa070a2d34201a44e3566d29825b0b504d8a5e5bdf5e7bdbb66c6c1
bf56ac8e89c2b983ff537878f7492a88ca9366cafa07eebe39aaf3ed9

MD5: 160aed03d7468a60f7c7b5d6f5934df3

6300-CX-21.2.39.67.bin

SHA512:

2ccbc4023724efc8010389f14d155b723b1d2ccc2eccf8b415bc43a84aac934a8b9cba494
1dfd09284a9ada8b8dca4980720005c3a3223c0192adb91d13f3db4

MD5: 4fede0c4124b4db8d90a1c23ef8b82af

6310-DX-21.2.39.67.bin

SHA512:

03065095a051aaa72dfcf18d8ece4f41541c32e281879e6e471e85ec1dcb2eac38efb2986
ddd6bb167e2f7e1f4e17cb2d3c57ad511869e7b7f4ef2925a1a4da2

MD5: 0fbf35610bdb32a2507149758759a708

6330-MX-21.2.39.67.bin

SHA512:

e1d74d7ab50edfb2f045fde9e43d0acaaff6acb3486af02bd5f341128f1636e78b403e44d45
05a4a96d4811e01ca7614250e8cd4561305184cea1e7eeeb77c29

MD5: 6871b262946cbbe7f5c32c5bf7

6335-MX-21.2.39.67.bin

SHA512:

cf31b12d714ce03fbe4fa250849d04b17e8fa58d1d4d1484fbb23ff7780beeeea8a14a4feab
95a0e6e937f3a03a22035d52bafe4d39f9d045e90d679c3ff9746

MD5: 15ba4d5c01726f8bce39d88808c4aba1

96000472_C Release Notes Part Number: 93001323_T Page 3

6350-SR-21.2.39.67.bin

SHA512:

b7adadc8e1b63001f746fd6ce355e44960ecb6d03e1c01922b34d648d6466157642e8048
cd0142e062a28d148a3c94eae63df80b8e5c1fc36d04294c791c0b15

MD5: 2fa98f75a606bf21304e8e4f8221cf

6355-SR-21.2.39.67.bin

SHA512:

e38794189d5fff5e910bbd43066c714fef9f2a7773248e484bcbaf3c7f2de503da082363b8d
0d57a74c2034012943464c926975c7c81be4d389093e3c70919db

MD5: b0807f0d9e5eb10f8703e4eecc4bd282

FEATURES

1. Add the Location service to all DAL products. DAL devices can utilize several location

sources (cellular, GNSS, or user defined) to determine where it's located and report that to
Digi Remote Manager or other servers [DAL-724]

2. Add geo-fencing configuration options. This new features is found under Services →

Location → Geofence. It can be utilized to define one or more circular or polygonal geo­fence areas and then perform a set of actions when the device enters or leaves that area.
Current options for actions to perform are either factory erasing the device or running a
custom script. [DALP-711]

3. New modem scan CLI command for listing available carriers for the current modem and

SIM setup.

4. New Network → Interface → Modem → Network PLMN ID config setting to lock the SIM card

to a particular carrier based on its PLMN ID(note that the Carrier selection mode must be
set to Manual or Manual/Automatic in order to lock the SIM to a specific carrier) [DALP­637]

5. Added local API to the web UI for automated configuration of the device [DALP-777]

6. Support remote CLI commands through Digi Remote Manager [DAL-4273]

7. New configuration options under System → Scheduled tasks → System maintenance to

automatically check for device and modem firmware updates, then notify in the CLI and
web UI when updates are available [DAL-4413]

ENHANCEMENTS

1. EX15W: Added new DFS Client Support configuration setting to support 5GHz DFS Wi-Fi

channels in client mode [DALP-720]

2. EX15W: Add 5GHz frequencies to the list of channels that can be scanned for client-mode

Wi-Fi background scanning [DAL-2570]

3. Set 2.4GHz default Wi-Fi bandwidth to 20MHz [DALP-772]

4. Update default background scanning settings for Wi-Fi clients to the following:

1. Scan threshold: -75dB

2. Short interval: 5s

3. Long interval: 300s

5. Updated Surelink recovery of Wi-Fi connections to restart the Wi-Fi module if restarting the

network connection fails to recover the setup [DAL-4387]

6. Added settings under Authentication → Serial to control Certificate Management for TCP

and autoconnect serial port setups [DALP-682]

7. Allow hidden/debug config settings to be controlled and preserved by DigiRM [DAL-4445]

8. Asymmetric preshared keys for IPsec tunnels [DALP-707]

9. Don't display Aggressive/Main mode or Xauth selections for IKEv2 IPsec tunnels [DAL-4142]

10. Update name and description of certificate settings for OpenVPN clients and servers [DAL-

96000472_C Release Notes Part Number: 93001323_T Page 4

4435]

11. Add digidevice.led python module to all products [DALP-710]

12. Add options to forward location information to a remote host over TCP [DALP-778]

13. Add new Forward interval multiplier configuration option under Services → Location →

Destination servers to control the number of location update intervals to wait before
sending location data to this server [DAL-4056]

14. Report location metrics as datapoints to DigiRM [DAL-4055]

15. Include the connection uptime of IPsec tunnels as datapoint metrics to Digi Remote

Manager [DAL-4062]

16. Report the phone number of the SIM as a health metric datapoint to Digi Remote Manager

[DAL-4440]

17. Fixed incorrect format of ICCID and IMEI metrics reported to Digi Remote Manager [DAL-

4440]

18. Add iptables TRACE tool for enhanced firewall debugging [DAL-4182]

19. Improved accuracy of the status shown for a modem during a firmware update

20. 1002-CMG4: Disable GEA1 on EG25-G modem [DAL-4250]

21. 1002-CMG4: Disable voice services on EG25-G modules [DAL-4560]

BUG FIXES

1. Fixed issue with utilizing soware flow control on serial ports set in remote-access mode

[DAL-3630]

2. Fix issue where a serial port could lock up and prevent access if flow control was enabled

[DAL-4585]

3. Fixed issue where non-primary DNS were queried through the wrong interface when

use_dns configuration option is set to primary [DAL-3156]

4. Report the phone number of the SIM as a health metric datapoint to Digi Remote Manager

[DAL-4440]

5. Fixed incorrect format of ICCID and IMEI metrics reported to Digi Remote Manager [DAL-

4440]

6. Fixed setup issue between custom firewall rules and IPsec tunnels [DAL-4433]

7. Fixed occasional issue preventing LM940 modems from re-establish their cellular

connection aer a modem firmware update [DAL-2933]

8. Fixed issue requiring a user to fix syslog configuration setting when updating from 20.5.x or

older firmware to 20.8.x/20.11.x firmware [DAL-4426]

9. Fixed rare issue where show system CLI command would display incorrect uptime details

[DAL-4350]

10. Fix issue with secondary CLI sessions showing stale configuration settings if the config is

updated elsewhere [DAL-4446]

11. Updated message displayed in web UI to direct the user to refresh the page aer erasing the

device back to default settings [DAL-2326]

12. Fixed issue where dynamic DHCP leases were not displayed in the CLI or web UI (bug

present on 20.11.x firmware versions) [DAL-4557]

13. Fixed inaccurate status of the Ethernet interface of a device in passthrough mode [DAL-

4543]

14. Fixed issue preventing web UI access if two-factor authentication was enabled (bug present

on 20.11.x firmware versions) [DAL-4509]

15. Fixed issue where CLI commands sent from DigiRM would crash the DAL device's connection

to DigiRM [DAL-4412]

16. Fixed issue preventing WAN/cellular connections from working if the interface was

96000472_C Release Notes Part Number: 93001323_T Page 5

configured with a single Interface Up Surelink test [DAL-4629]

17. Fix rare issue where Wi-Fi hotspots would stop responding to DHCP requests if restarted

many times [DAL-4298]

18. Fixed output of the show wifi ap name <ap_name> and show wifi client name

<client_name> CLI commands [DAL-1615]

19. Fixed inaccurate status of the Ethernet interface of a device in passthrough mode [DAL-

4543]

20. PR products: Fixed issue preventing usage of the digidevice.config python module on PR

firmware products [DAL-4378]

21. EX12: Fixed connectivity of EX12 devices with T-Mobile private APN SIMs [DAL-4544]

22. 1003-CM11: Fixed occasional issue preventing LM940 modems from re-establish their

cellular connection aer a modem firmware update [DAL-2933]

23. 1003-CM11: Fixed timing issue aer updating firmware on LM940 modems that preventing

the modem from reconnecting unless rebooted [DAL-4614]

24. Fixed issue causing aView-initiated speed tests to report the same upload/download speeds

[DAL-4420]

SECURITY FIXES

The highest level vulnerability that has been fixed in this release is listed as a Critical CVSS score of

8.1 High

1. Update hostapd to address CVE-2019-16275 and CVE-2019-13377 [DAL-4232]

2. Update wpa_supplicant to address CVE-2019-16275 [DAL-4233]

3. Update libcurl to version 7.74.0 (CVE-2020-8169, CVE-2020-8177) [DAL-4336]

4. Update to python version 3.6.12 (CVE-2020-14422) [DAL-4364]

5. Update OpenSSL to version 1.1.1i (CVE-2020-1971) [DAL-4326]

6. Update dnsmasq to version 2.83 (CVE-2019-14834, CVE-2020-25681, CVE-2020-25682, CVE-

2020-25683, CVE-2020-25684, CVE-2020-25685, CVE-2020-25686, CVE-2020-25687) [DAL­3950]

7. Update web security settings with the following headers [DAL-4192]

1. Pragma: no-cache

2. Content-Security-Policy

3. X-Content-Type-Options: nosni

4. X-XSS-Protection: 1; mode=block

8. Set SAMEORIGIN in X-Frame-Options to uppercase [DAL-4192]

9. Automatically de-activate active user logins/sessions if the password for that user changes

10. Removed support for https CBC ciphers [DAL-4408]

11. Fixed XSS vulnerability on serial page in the local web UI (Bug present on firmware versions

20.11.x and older) [DAL-4646]

12. PR products: Removed debug config options from PR firmware for changing https ciphers

[DAL-4417]

VERSION 20.11.32.168 (December 23, 2020)

This is a recommended release.

ENHANCEMENTS

1. Use PDP context 1 with Telus carrier SIMs [DAL-4332]

96000472_C Release Notes Part Number: 93001323_T Page 6

BUG FIXES

1. Fixed bug preventing Ethernet speed/duplex adjustment (aects firmware version

20.11.32.138) [DAL-4414]

VERSION 20.11.32.138 (December 2, 2020)

EX12-20.11.32.138.bin

SHA512:

8ca00542ccca7a8a03cd720405e2d85a1d78660c804bf312f9599bc404830a7b40074abb
5d3dad60ba7f2402609a2f22dc5f7e793d7dfaf845f8db18c8c68d17

MD5: 73958d8bb5acc31d4f75b3066f04daad

EX12-PR-20.11.32.138.bin

SHA512:

a2d9f823f8753a2cb00c04232f9f314afcddad221b4b76c4d392401d5725a06cd8787231
837c0e7c4329da473afbe6ee861f2ebd4da1e5e8d17f8aac7f1eab

MD5: 211d1005b5c812c3c36d3b55ac355dc2

EX15-20.11.32.138.bin

SHA512:

83fd656aed56d972543f4d19e003825593d79dc439846b03a3d7116599cba9e1c06a55c1
f5c984a01a5f6820c1fc8f5b7491f1a9ef793a2aed223575dac15ef8

MD5: 8fd4e699bd27cc9da81cb726225021c9

EX15-PR-20.11.32.138.bin

SHA512:

efe94ed40519d132067cb2c0239d85428b039cea25f88955313913ade9170f9e990714d
ac13d3fc0d0d22630a01145c878482f435f34fea8acb6528c87bc95

MD5: fb31340e93ad3bde71d0e5a5c90fd1dc

EX15W-20.11.32.138.bin

SHA512:

63ad84ec0ca6798137890486076e46b6f4f39447f5f5fed3eeef4e5485a169ace26c919c51
d9f9b2de67cb6ae59768e913270bb526ef0e866fe6889d735deaf7

MD5: 3518774a2339b0babd56c57bd129838d

EX15W-PR-20.11.32.138.bin

SHA512:

9b67783334b0acab900682db7d817d8f9f7cd797601ea5778cc335f36845189a968094b4
29e45a564e33d42614d0030e71a57fc66cbe2321b9fb7994a2b849

MD5: 54c8f6fad147bda2b3d119afe311

5400-RM-20.11.32.138.bin

SHA512:

75a6c795d0bca41f73516f5f1287ca8529f446fdd5ca6d2bbf6062be7e60bd4b2fc9a79dd
98b44c39f33f4cdd834644e9e1004a2c656886a9b51e254e24fc3d8

MD5: 8fe0c22df1a24065b9b1ec32e90e2ded

5401-RM-20.11.32.138.bin

SHA512:

826fbdb9d9c7cd8c768debabf4219d5828ef3e07b3c50d78d94a3d32553ec0696c3cfe05
2d61f773e37d66fc09bf7102a500fb9bf7f37240fb630259e54434

MD5: 8364adb9346a60462941abae20eeb7

6300-CX-20.11.32.138.bin

SHA512:

2b1e79bb7242c2730b5e29aa54ba9f1b8a2b5bd9a2f5b6176f07f1c338aae8a8270d76e2

96000472_C Release Notes Part Number: 93001323_T Page 7

3bbea6e0311233cc9eb0d4b406d73192b57a3736bb9e43f66b6b4f32

MD5: eccedc3709db885fac85a9323c6924e1

6310-DX-20.11.32.138.bin

SHA512:

e63f8d4a08967a20a1876d24b828392667dd904fd23053a032408329118dfc248b658a8a
521084258342fea0d8579916a8a97ba4831b5a2d59d0f6a827a8b77f

MD5: 2f9e15eb0ac42fd1ce74b67eedd28f1d

6330-MX-20.11.32.138.bin

SHA512:

9d87a8256f2326d48c5492b31eb0bc11e7e7e02c916db704f532aeb2e6a48359aadaf58
fa49912c4f873e8fdd657d6578b5a0e061b53df5b51a55597b7f9e8

MD5: 953f27a0d01baa3e84a1b356e1e769b0

6335-MX-20.11.32.138.bin

SHA512:

9b5ecf97e76055ddbfcf836839e41276c9e14707a4ea074c965d3f7194b1710efda59e216
835db75715095d6cf7de76deb01bf5e68849b535b4a57673159ad49

MD5: 461913ddf3b1649155a6de015a54dc76

6350-SR-20.11.32.138.bin

SHA512:

5571ae02a4d2bea4f412906ae91a61d453794007fbddd339d58feca739f93e12233342b0
b3e7718d33fc3a82473e9eb516790eba7a85d1255de0a432006f56

MD5: 6583d1f6001bb872de247c1b193b0480

6355-SR-20.11.32.138.bin

SHA512:

1701987867b894df7a4f22163c7bdc51e8210178fe105146e9976dfe4ef6bee21f9b7ebd
38615ad4da05b5dd2f0795d729b4b8ccbbe66ab80e9eea2c171a35

MD5: 1dc366811ebb098422a174d3c8cdb4

FEATURES

1. EX12/EX15/EX15W: New PR product variants and firmware for FirstNet/ResponseVerify

products [DALP-674]

1. PR stands for Primary Responder and indicates a security hardened, feature-restricted
firmware targeted to comply with AT&T FirstNet and Verizon ResponseVerify
certifcation security requirements. It is the same DAL firmware under the hood, but
with several features removed to comply with FirstNet and ResponseVerify security
restrictions. Below is a list of changes for PR products:

1. Services → Telnet removed

2. Removed Telnet option from Remote access options if a serial port was set in

Remote access mode

3. WPA1 Wi-Fi encryption option (WPA Personal) removed

4. Default Wi-Fi SSID disabled by default

5. interactive shell removed

1. Firewall → custom rules always has sandbox enabled with limited shell
command and filesystem access to only allow iptables interaction

2. System → Scheduled tasks → Custom scripts always has sandbox option
enabled with limited shell command and filesystem access to allow CLI access
and python script execution

3. No inbound SCP/SFTP support

96000472_C Release Notes Part Number: 93001323_T Page 8

2. Add ssh and telnet commands to Admin CLI [DALP-664]

3. Add new modem firmware CLI commands for performing local or over-the-air remote
firmware updates to the cellular modem(s) in the device [DAL-2811]

4. Add new configuration options under Network → Devices for setting the link speed/duplex
of the device's Ethernet port(s) [DALP-135]

5. Add options for starting, stopping, and viewing serial port activity logs through the CLI, web
UI, or Digi Remote Manager [DALP-458]

6. Support for the Sierra EM9190/9191 5G modems [DALP-686]

7. Support for the Sierra EM7411 LTE CAT7 modem [DALP-608]

8. IPv6 IPsec tunnel support for full IPv6 tunnels, IPv6-over-IPv4, or IPv4-over-IPv6 tunnels
[DALP-581]

9. IPsec XFRM interfaces for enhanced control over IPsec tunnels and the network interfaces
associated to them. This allows users to select tunnels for multiple networking features,
including static routes, policy-based routes, access control lists, and routing priority based
on metric. [DAL-490]

10. Inclusion of the Python pip for installing external modules/libraries [DAL-4078]

ENHANCEMENTS

1. Add Services → Location options for configuring GPS or GNSS location communication
[DALP-724]

2. GPS/GNSS support for the 1002-CMG4 modem [DALP-713]

3. Add cellular technology icon to the Dashboard in the web UI [DAL-3673]

4. Add link to product User Guide under the User drop-down menu at the top-right of the web
UI [DALP-569]

5. Added help button to System → File System page of the web UI [DALP-569]

6. Added new Status → Modbus Gateway service page to the web UI to display information
about modbus clients and servers connected to the gateway [DALP-671]

7. Added show modbus-gateway CLI command to view the status of Modbus gateway service
[DALP-671]

8. Updated show modem CLI command to display historical information about the modem if
it is in the process of updating firmware [DAL-1504]

9. Added new Services → Ping responder configuration settings for controlling what
interfaces and firewall zones the DAL device responds to ICMP requests on [DAL-1565]

10. Enhance IPSec tunnels to wait for passing Surelink tests (if configured) before initiating
outbound tunnels [DAL-3878/DAL-3774]

11. Add m2m.telus.iot Telus APN to fallback list [DAL-3911]

12. Add psmtneorm and edneopate010.dpa AT&T APNs to fallback list [DAL-4041/DAL-4045]

13. Add reseller and tracfone.vzwentp Tracfone APNs to the AT&T and Verizon fallback lists
DAL-4098]

14. Add new 890103 and 890141 ICCID prefixes and 31030 PMND ID matchers to AT&T APN
fallback list [DAL-3934/DAL-4041]

15. Add service.qcdm.secure option to enable/disable encrypted QXDM access to the cellular
modem in the DAL device [DAL-3964]

16. Add missing modem firmware and SIM details to datapoints uploaded to Digi Remote
Manager [DAL-4040]

17. Show uptime for connection to Digi Remote Manager on the Dashboard web UIpage in
days/hours/minutes/seconds instead of just minutes [DAL-3691]

18. Updated network bridges to use the MAC address of the first device listed in Network →
Bridges → [bridge_name] → Devices as the MAC address for the bridged interface [DAL-

96000472_C Release Notes Part Number: 93001323_T Page 9

3949]

19. Add link in the firmware update window on the Status → Modem page to direct users to the
configuration options to schedule a modem firmware update [DALP-725]

20. Updated the help text on the login page to provide a more generic image [DAL-3916]

21. Added option when copying serial port settings on the System → Serial Configuration page
to optionally copy the label of the serial port [DAL-3842]

22. Removed duplicate modem signal information from the Modem → Status page [DAL-3680]

23. Added a DSCP option to policy-based routes to allows users to match the routing rule by
the type of DSCP field in the packet [DAL-3867]

24. Added a defaultroute option for matching policy-based routes to the device's active
default route [DAL-4130]

25. Hide the Monitoring → Device Health configuration options if the device is not enabled for
Digi Remote Manager central mangement [DAL-3825]

26. Update header types for the cellular modem name and network type on the Dashboard
page

27. Create system log when Surelink DNS tests are skipped because the interface doesn't have
any DNS servers [DAL-4224]

28. Hide main/aggressive mode option when using IKEv2 [DAL-4142]

BUG FIXES

1. EX12: Enable Surelink on cellular modem by default (bug aects EX12 devices on firmware
versions 20.8.x and older) [DAL-3795]

2. Fixed missing default settings in configuration profiles created in Digi Remote Manager (bug
aects firmware versions 20.8.x and older) [DALP-658]

3. Fixed missing option for setting the SIM Slot Preference in configuration profiles in Digi
Remote Manager (bug aects firmware versions 20.8.x and older) [DAL-3912]

4. Fixed format of user passwords when displayed in Digi Remote Manager (bug aects
firmware versions 20.8.x and 20.5.338.58) [DAL-3889]

5. Fixed issue with policy-based routing not working in conjunction with multiple IPsec
tunnels (bug aects firmware versions 20.8.x and older) [DAL-3515]

6. Fixed issue preventing OpenVPN server-managed certificates from being re-generated if the
process was interrupted (bug aects firmware versions 20.8.x and older) [DAL-3803]

7. Fixed issue preventing OpenVPN client from using an autogenerated config file from a tap­bridge openvpn server (bug aects firmware versions 20.8.x and older) [DAL-3881]

8. Fixed some formatting output of the show system verbose CLI command (bug aects
firmware versions 20.8.x and older) [DAL-3805]

9. Fixed issue preventing VRRP interoperability between DAL devices and SarOS devices (bug
aects firmware versions 20.8.x and older) [DAL-4130]

10. Update VRRP+ to properly handle changes in network interface statuses bug aects
firmware versions 20.8.x and older) [DAL-4274]

11. Removed poorly formatted script contents from the show scripts CLI command output
[DAL-3315]

12. Fixed non-working system disable-cryptography CLI command [DAL-4169]

13. Fixed second-stage erase functionality on devices not enabled for aView management [DAL­3944]

14. Fixed issue preventing multicast traic from being sent through a GRE tunnel [DAL-3879]

15. Fixed issue preventing a firewall rule from being setup for OSFPv2 entries [DAL-3869]

16. Fixed rare crash caused when a Quectel modem disconnected [DAL-3867]

17. Fixed behavior of the WWAN Service LED to blink when a modem firmware update is in

96000472_C Release Notes Part Number: 93001323_T Page 10

progress (bug aects firmware versions 20.8.x and older) [DAL-3963]

18. Fixed issue preventing 1002-CMG4 modems from connecting with Verizon private APNs (bug
aects firmware versions 20.8.x and older) [DAL-3605/DAL-3276]

19. Removed SIM slot 2 references and options from the configuration settings in the 6300_CX
[DAL-3930]

20. Disable the internal Qualcomm GPSoneXTRA application on Telit LE910c4-NF modules from
downloading data from the Qualcomm commercial XTRA server (bug aects firmware
versions 20.8.x and older) [DAL-4009]

SECURITY FIXES

The highest level vulnerability that has been fixed in this release is listed as a Critical CVSS score of

9.1

1. Secureboot with signed firmware images for the EX15/EX15W (CVSS score 5.7 Medium
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H) [DALP-646]

2. Disallow TCP forwarding from incoming SSH connections [DAL-3938]

3. Remove sensitive information from HTTP GET requests (CVSS score: 5.7 Medium CVSS:3.1/

AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N) [DAL-3938]

4. Update to linux kernel 5.8 (CVSS score: 3.7 Low CVE-2020-16166 CVSS:3.1/AV:N/AC:H/PR:N/
UI:N/S:U/C:L/I:N/A:N) [DALP-678]

5. OpenSSH updated to version 8.3p1 (CVSS score: 2.2 Low
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N) [DAL-3299]

6. OpenSSL updated to vesion 1.1.1h (CVSS score: n/a) [DAL-4037]

7. OpenVPN updated to version 2.4.9 (CVSS score 9.1 Critical CVE-2018-7544
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H) [DAL-3862]

8. Linux shell/bash updated to version 5.0 (CVSS score: n/a) [DAL-3763]

9. jQuery updated to version 3.5.1 (CVSS Score: 6.1 Medium CVE-2020-11022 CVE-2020-11023)
[DAL-3547]

10. Updated WebU session token to use AES-256-GCM cipher (CVSS score: n/a) [DAL-4000]

11. Prevent web asset access from unauthorized logins (CVSS score: 5.3 Medium CVSS:3.1/AV:N/

AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) [DAL-3835]

12. Add script CSP headers to the web UI (CVSS score: n/a) [DAL-3629]

13. Added extra layer of firmware verification to ensure the firmware matches the target
hardware variant and prevent firmware modifications (CVSS score 1.9 Medium
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N) [DAL-3511]

14. Prevent command injection through modemadvanced, modem_install, and firmware
webpages (CVSS score: 6.8 Medium CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N) [DAL­4093/DAL-4104/DAL-4046]

15. Prevent manual addition of files to an encrypted filesytem outside of the device itself (CVSS
score: 6.1 Medium CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) [DAL-4149]

16. Restrict memory allocation of tcpdump (CVSS score: 7.5 High CVE-2020-8037
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) [DAL-4226]

17. Removed expired aView and AVWOB certificates [DAL-3467]

18. Encode MAC address in URL used to sync with aView to prevent privileged escalation [DAL­4304]

VERSION 20.8.22.32 (August 28, 2020)

EX12-20.8.22.32.bin

SHA512:

b5f1371048906d6dc452d3db2e041e645f60d590d800955334bb31bada8843b89728d1f

96000472_C Release Notes Part Number: 93001323_T Page 11