DGW-15675 - Sentinel CS (Software SBC) officially released

The Sentinel CS (Software SBC) is now officially released for General Availability (GA).

DGW-15499 - Accept /31 and /32 netmasks in Bni, Iprouting, Lfw, Nat, Nfw and Vm services

Incident Number: IN-14194

IP addresses with a /31 and /32 netmasks are now allowed in the following parameters:

• Bni.NetworkInterfaces.StaticipAddr
• IpRouting.AdvancedIpRoutes.SourceAddress
• IpRouting.StaticIpRoutes.Destination
• Lfw.LocalRules.SourceAddress
• Lfw.LocalRules.DestinationAddress
• Nat.SNatRules.SourceAddress
• Nat.SNatRules.DestinationAddress
• Nat.DNatRules.SourceAddress
• Nat.DNatRules.DestinationAddress
• Nfw.NetworkRules.SourceAddress
• Nfw.NetworkRules.DestinationAddress
• Vm.InternalVirtualSwitchipAddr

DGW-15367 - Support of redundant Ethernet port switchover

The redundant Ethernet port feature can be activated via the Eth.RedundantPorts parameter.

When activated, the traffic of the ETH4 port will automatically switchover to the ETH5 port in case of a link failure on the ETH4 port.

DGW-15338 - OWASP: Disable access to internal UART

Follow OWASP IoT Verification Requirement C.1:Verify that application layer debugging interfaces such USB, UART, and other serial variants are disabled or protected by a complex password.

DGW-15325 - Add USB support on the AMD Ryzen CPU

Incident Number: IN-15378

Virtual Machines (VM) can now access USB devices on the AMD Ryzen CPU.

DGW-15274 - SBC: New parameter to control the TCP/TLS client port number

New parameter "Sbc.SignalingInterface.ForceLocalClientPort" has been added for the SBC to force client SIP connections to use the same port as the listening port.

The parameter is configurablefor each signaling interface and is effective for TLS and TCP transports.

DGW-15220 - SBC: New interop parameter to disable TLS 1.3

Incident Number: IN-14657

A new interoperability parameter Sbc.TransportInteropMaxTlsVersion has been added in the Sbc service to limit the TLS version for SIP over TLS connections.

DGW-15053 - Change of behavior for SNMPv3 authentication

Previously, the Snmp service could use any user account to authenticate a SNMPv3 request.

The Snmp service now requires its own username and password to be defined in the Snmp.SnmpUser and Snmp.SnmpV3Password parameters for SNMPv3 authentication.

This modification was required for DGW-15007.

Note: SNMPv1 and SNMPv2 are not impacted by this change of behavior.

For more information, please consult the "PCN20220216_SNMPv3_New_Behavior.pdf" document in the Media5 Documentation Portal: https://documentation.media5corp.com/display/MP/Product+Change+Notification

DGW-15007 - User passwords are now securely hashed

Incident Number: IN-15117

User passwords are no longer saved in clear text, but instead saved in a cryptographically secure way, using the PBKDF2-HMAC-SHA256 hash algorithm.

Previously, when exporting a backup or configuration script, the passwords could be read in clear-text. Now, only the hashed passwords are visible.

A user cannot retrieve a forgotten password anymore, since it is impossible to reverse a hashed password into a clear-text password. In case all passwords are forgotten, a partial reset or factory reset can be done to restore to the factory initial passwords.

DGW-14927 - Certificate files can now be exported in configuration script

A new option has been added to Configuration Script exportation: All Config & Files. This enables the exportation of certificate files along with the rest of the configuration.

The certificate file content is encoded in Base64.

DGW-14607 - Multiple network interfaces are now allowed in the same subnet

The Bni service no longer deactivates a network interface whose subnet is overlapping with another network interface, as long as they have different IP addresses.

DGW-15469 - The SBC registration cache may have issue handling more than 1000 users

The capacity of the SBC registration cache was increased to match the capability of each SBC platform.

DGW-15442 - CVE-2022-0778: Possible Denial of Service (DoS) from purposedly crafted TLS certificate

An important security flaw was found in the OpenSSL library affecting DGW version 48.4 and below. If exploited successfully, this vulnerability could cause the unit to reboot unexpectedly.

The CVE-2022-0778 has been addressed by upgrading the OpenSSL library to version 1.1.1n.

DGW-15429 - Clear Scripts/Selection links not working in Web pages

The Clear Scripts and Clear Selection links in the Configuration Scripts and Backup/Restore web pages now behave properly.

DGW-15164 - Virtual Machine cannot be created after a restoring a backup under certain conditions

Fixed an issue where new Virtual Machine could not be created after restoring a backup that already contained some Virtual Machine entries.

DGW-15050 - SBC: A specific ruleset expression may cause an unexpected unit restart

Fixed an issue that was causing an unexpected restart of the unit when the $_r(0) replacement expression was used in a ruleset.

DGW-14973 - SIP: Support additional DHE ciphers

The SipEp service now supports the following DHE ciphers when using SIP over TLS:

• TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384