24.6.17.54/24.6.17.56 - June 2024, Feature

Release category: Mandatory

New feature

Release 24.6.17.56 for IX10

  1. For the IX10, Hybrid IPv4 addressing mode support was added to the Ethernet interface.

    In this mode, the device will first attempt to get an IPv4 address using DHCP. If it fails to get an IPv4 address after 1 minute, it will revert to using the static configured IPv4 address. This allows the IX10 (when running default configuration) to automatically connect to and be managed by Digi Remote Manager when connected into a network that supports DHCP. The addressing type must be changed to either dhcp or static when the first configuration change is made on the device.

Enhancements

Release 24.6.17.54 for all products

  1. The WAN-Bonding support has been enhanced with the following updates

    1. SureLink support.

    2. Encryption support.

    3. SANE client has been updated to 1.24.1.2.

    4. Support for configuring multiple WAN Bonding servers.

    5. Enhanced status and statistics.

    6. The WAN Bonding status is now included in the metrics sent to Digi Remote Manager.

  2. The cellular support has been enhanced with the following updates

    1. The special PDP context handling for the EX50 (EM9191) modem which was causing issues with some carriers. A common method is now used to set the PDP context.

    2. The cellular connection back-off algorithm has been removed as the cellular modems have built-in back off algorithms that should be used.

    3. The cellular APN lock parameter has been changed to APN selection to allow the user to select between using the built-in Auto-APN list, the configured APN list or both.

    4. The cellular Auto-APN list has been updated.

    5. The MNS-OOB-APN01.com.attz APN has been removed from the Auto-APN fallback list.

  1. The Wireguard support has been updated to allow the user to generate a client configuration that can be copied onto another device.

    This is done using the command wireguard generate <tunnel> <peer>

    Extra information may be needed from the client depending on config:

    1. How the client machine connects to the DAL device. This is needed if the client is initiating any connections and there is no keepalive value.

    2. If the client generates their own private/public key, they will need to set add that to their configuration file. If this is used with 'Device managed public key', every time a generate is called on a peer, a new private/public key is generated and set for that peer, this is because we do not store any private key information of any clients on the device.

  1. The SureLink support has been updated to

    1. Shutdown the cellular modem before power cycling it.

    2. Export the INTERFACE and INDEX environment variables so that they can be used in custom action scripts.

  1. The uploading of device events to Digi Remote Manager has been enabled by default.

  2. The logging of SureLink events has been disabled by default as it was causing the event log to be saturated with test pass events.

    SureLink messages will still appear in the system message log.

  3. The show surelink command has been updated.

  4. The status of the System Watchdog tests can now be obtained via Digi Remote Manager, the Web UI and using CLI command show watchdog.

  5. The Speedtest support has been enhanced with the following updates

    1. To allow it to run on any zone with src_nat enabled.

    2. Better logging when a Speedtest fails to run.

  1. The Digi Remote Manager support has been updated to only re-establish connection to Digi Remote Manager if there is a new route/interface it should utilize to get to Digi Remote Manager.

  2. A new configuration parameter, system > time > resync_interval, has been added to allow the user to configure the system time resynchronization interval.

  3. Support for USB printers has been enabled. It is possible to configure to device to listen for printer requests via the socat command

    socat - u tcp-listen:9100,fork,reuseaddr OPEN:/dev/usblp0

  4. The SCP client command has been updated with a new legacy option to use the SCP protocol for file transfers instead of the SFTP protocol.

  5. Serial connection status information has been added to the Query State response message that is sent to Digi Remote Manager.

  6. Duplicate IPsec messages have been removed from the system log.

  7. The debug log messages for the health metrics support have been removed.

  8. The help text for the FIPS mode parameter has been updated to warn the user the device will automatically reboot when changed and that all configuration will be erased if disabled.

  9. The help text for the SureLink delayed_start parameter has been updated.

  10. Support for the Digi Remote Manager RCI API compare_to command has been added.

  11. IX30: The IX30 analog IO calibration data has been removed from configuration backups.

  12. TX40: The TX40 Wi-Fi driver has been updated

    1. Supports up to 64 client connections.

    2. Can now support 2 Wi-Fi Client interfaces, one on the 2.4 GHz band and one on the 5 GHz band.

    3. In total, the TX40 can support up to 3 interfaces, with any combinations of Access Points and clients.

  13. TX54: The TX54 Bluetooth scanner support has been updated with new filtering and data forwarding options.

Security fixes

  1. The setting for Client isolation on Wi-Fi Access Points has been changed to be enabled by default. [DAL-9243]

  2. The Modbus support has been updated to support the Internal, Edge and Setup zones by default. [DAL-9003]

  3. The Linux kernel has been updated to 6.8. [DAL-9281]

  4. The StrongSwan package has been updated to 5.9.13 [DAL-9153]

    CVE-2023-41913 CVSS Score: 9.8 Critical

  5. The OpenSSL package has been updated to 3.3.0. [DAL-9396]

  6. The OpenSSH package has been updated to 9.7p1. [DAL-8924]

    CVE-2023-51767 CVSS Score: 7.0 High

    CVE-2023-48795 CVSS Score: 5.9 Medium

  7. The DNSMasq package has been updated to 2.90. [DAL-9205]

    CVE-2023-28450 CVSS Score: 7.5 High

  8. The rsync package has been updated 3.2.7 for the TX64 platforms. [DAL-9154]

    CVE-2022-29154 CVSS Score: 7.4 High

  9. The udhcpc package has been updated to resolve a CVE issue. [DAL-9202]

    CVE-2011-2716 CVSS Score: 6.8 Medium

  10. The c-ares package has been updated to 1.28.1. [DAL9293-]

    CVE-2023-28450 CVSS Score: 7.5 High

  11. The jerryscript package has been updated to resolve a number CVEs.

    CVE-2021-41751 CVSS Score: 9.8 Critical

    CVE-2021-41752 CVSS Score: 9.8 Critical

    CVE-2021-42863 CVSS Score: 9.8 Critical

    CVE-2021-43453 CVSS Score: 9.8 Critical

    CVE-2021-26195 CVSS Score: 8.8 High

    CVE-2021-41682 CVSS Score: 7.8 High

    CVE-2021-41683 CVSS Score: 7.8 High

    CVE-2022-32117 CVSS Score: 7.8 High

  12. The AppArmor package has been updated to 3.1.7. [DAL-8441]

  13. The following iptables/netfilter packages have been updated [DAL-9412]

    1. nftables 1.0.9

    2. libnftnl 1.2.6

    3. ipset 7.21

    4. conntrack-tools 1.4.8

    5. iptables 1.8.10

    6. libnetfilter_log 1.0.2

    7. libnetfilter_cttimeout 1.0.1

    8. libnetfilter_cthelper 1.0.1

    9. libnetfilter_conntrack 1.0.9

    10. libnfnetlink 1.0.2

  14. The following packages have been updated [DAL-9387]

    1. libnl 3.9.0

    2. iw 6.7

    3. strace 6.8

    4. d. net-tools 2.10

    5. ethtool 6.7

    6. MUSL 1.2.5

  15. The http-only flag is now being set on Web UI headers. [DAL-9220]

Bug fixes

  1. The WAN Bonding support has been updated with the following fixes

    1. The client is now automatically restarted when client configuration changes are made. [DAL-8343]

    2. The client is now automatically restarted if it has stopped or crashed. [DAL-9015]

    3. The client is now not restarted if an interface goes up or down. [DAL-9097]

    4. The sent and receive statistics has been corrected. [DAL-9339]

    5. The link on the Web UI dashboard now takes the user to the Web-Bonding status page instead of the configuration page. [DAL-9272]

    6. The CLI show route command has been updated to show the WAN Bonding interface. [DAL-9102]

    7. Only the required ports rather than all ports are now opened in the firewall for incoming traffic in the Internal zone. [DAL-9130]

    8. The show wan-bonding verbose command has been updated to comply with style requirements. [DAL-7190]

    9. Data was not being sent through the tunnel due to an incorrect route metric. [DAL-9675]

    10. The show wan-bonding verbose command. [DAL-9490, DAL-9758]

    11. Reduced memory usage that causes issues on some platforms. [DAL-9609]

  2. The SureLink support has been updated with the following fixes

    1. An issue where re-configuring or remove static routes could cause routes being incorrectly added to the routing table has been resolved. [DAL-9553]

    2. An issue where static routes were not being updated if the metric was configured as 0 has been resolved. [DAL-8384]

    3. An issue where the TCP test to a hostname or FQDN can fail if the DNS request goes out of the wrong interface has been resolved. [DAL-9328]

    4. An issue where disabling SureLink after an update routing table action leaves orphaned static routes has been resolved. [DAL-9282]

    5. An issue where the show surelink command displaying incorrect status has been resolved. [DAL-8602, DAL-8345, DAL-8045]

    6. An issue with SureLink being enabled on LAN interfaces causing issues with tests being run on other interfaces has been resolved. [DAL-9653]

  1. An issue with the HW encryption on the EX15 platforms that was introduced in the 24.3 release has been resolved. [DAL-9682]

  2. An issue where IP packets could be sent out of the wrong interface, including those with private IP addresses which could lead to being disconnected from the cellular network has been resolved. [DAL-9443]

  3. The SCEP support has been updated to resolve an issue when a certificate has been revoked. It will now perform a new enrollment request as the old key/certificates are no longer considered secure to perform a renewal. Old revoked certificates and keys are now removed from the device. [DAL-9655]

  4. An issue with how OpenVPN generated in server certificates has been resolved. [DAL-9750]

  5. An issue where Digi Remote Manager would continue to display a device as connected if it had been booted locally has been resolved. [DAL-9411]

  6. An issue with SureLink on IPsec tunnels using strict routing has been resolved. [DAL-9784]

  7. A race condition when an IPsec tunnel is brought down and reestablished quickly could prevent the IPsec tunnel coming up has been resolved. [DAL-9753]

  8. An issue when running multiple IPsec tunnels behind the same NAT where only interface could come up has been resolved. [DAL-9341]

  9. An issue with IP Passthrough mode where the cellular interface would be brought down if the LAN interface goes down which meant the device was no longer accessible via Digi Remote Manager has been resolved. [DAL-9562]

  10. An issue with multicast packets not being forwarded between bridge ports has been resolved. This issue was introduced in DAL 24.3. [DAL-9315]

  11. An issue where an incorrect Cellular PLMID was being displayed has been resolved. [DAL-9315]

  12. An issue with an incorrect 5G bandwidth being reported by the EX50 5G devices has been resolved. [DAL-9249]

  13. An issue with selecting 5G_SA mode with the on the EX50 5G with the EM9191 modem running the 03.14.10 firmware has been resolved. [DAL-9346]

  14. An issue with the RSTP support where it may initialize correct in some configurations has been resolved. [DAL-9204]

  15. An issue where a device would attempt to upload the maintenance status to Digi Remote Manager when it is disabled has been resolved. [DAL-6583]

  16. An issue with the Web UI drag and drop support which could cause some parameters being incorrectly updated has been resolved. [DAL-8881]

  17. An issue with the Serial RTS toggle pre-delayed not being honored has been resolved. [DAL-9330]

  18. An issue with the Watchdog triggering a reboot when not necessary has been resolved. [DAL-9257]

  19. An issue where DMVPN could take a long time to come up on the EX50 has been resolved. [DAL-9254]

  20. An issue where modem firmware updates would fail due to the index of the modem changing during the update and the status result not being reported to Digi Remote Manager has been resolved. [DAL-9524]

  21. An issue with the cellular modem firmware update on Sierra Wireless modems has been resolved. [DAL-9471]

  22. An issue with how the cellular statistics were being reported to Digi Remote Manager has been resolved. [DAL-9651]

  23. IX40: An issue with IX40 5G units outside of North America selecting an incorrect generic cellular firmware image has been resolved. [DAL-9266]

  24. IX40: An issue with the IX40 5G modem VoLTE and SIM hotswap settings being re-enabled after a carrier switch which resulted in longer connection times. [DAL-9264, DAL-9265]

  25. IX20: An issue with the IX20W Wi-Fi connecting to Access Points using DFS channels with the DAL 24.3 release has been resolved. [DAL-8933]

  26. IX10: An issue with IX10 SIM LEDs behavior has been resolved. [DAL-9593]

  27. TX54: An issue with the HW encryption on the TX54 platforms that was introduced in the 24.3 release has been resolved. [DAL-9682]

  28. TX54/TX64: The Wi-Fi driver support for the TX54 and TX64 platforms has been updated to improve performance. [DAL-9060]

  29. TX64: An issue with the TX64 where the device can crash when connecting to a Wi-Fi Access Point has been resolved. [DAL-9317]

  30. TX40: An issue with TX40 5G units outside of North America selecting an incorrect generic cellular firmware image has been resolved. [DAL-9266]

  31. TX40: An issue with the TX40 5G units modem VoLTE and SIM hotswap settings being re-enabled after a carrier switch which resulted in longer connection times. [DAL-9264, DAL-9265]

  32. TX40: An issue with the TX40 where changing the location service configuration could cause the cellular modem to disconnect has been resolved. [DAL-9201]

  33. TX64: An issue where TX64 could not always connect to Wi-Fi Access Points using DFS channels has been resolved. [DAL-9298]

  34. TX64: An issue with an incorrect 5G bandwidth being reported by the TX64 5G devices has been resolved. [DAL-9249]

  35. TX64: An issue with selecting 5G_SA mode with the on the TX64 5G with the EM9191 modem running the 03.14.10 firmware has been resolved. [DAL-9346]