Support the Strict-Transport-Security header for DGW Web pages as per RFC 6797.
DGW-13750
Cannot limit Cwmp service HTTPS provisioning to use only TLS 1.2.
DGW-13765
Add TLS 1.3 support for the Conf, Cwmp and File services.
DGW-13785
SRTP interoperability improvements for the Mipt service.
DGW-13830
SRTP interoperability improvements for the Sbc service.
DGW-13933
Some RTP packets may cause the application to stop responding.
DGW-13963
Protect DGW Web pages against Cross-Site Request Forgery attacks.
DGW-14229
CVE-2021-3449: TLS communications are vulnerable to a Denial of Service (DoS).
Security changes
DGW-14229 - CVE-2021-3449: TLS communications are vulnerable to a Denial of Service (DoS).
An important security flaw was found in the OpenSSL library affecting DGW v46.1, v46.2, v47.0, and, v47.1. If exploited successfully, this vulnerability could cause the unit to reboot unexpectedly.
The OpenSSL library was fixed, addressing CVE-2021-3449.
DGW-13963 - Protect DGW Web pages against Cross-Site Request Forgery attacks.
The following strategies have now been implemented in the DGW Web pages to protect against Cross-Site Request Forgery (CSRF/XSRF) attacks:
The SameSite=Lax attribute is included in the cookie.
CSRF tokens were added to all forms submissions (POST) and background AJAX requests (GET and POST).
The CSRF protection is always enabled.
DGW-13933 - Some RTP packets may cause the application to stop responding.
When using the DSP codec Bank2, some RTP packets could cause the DSP to stop responding.
Fixed the DSP configuration that caused the problem.
DGW-13830 - SRTP interoperability improvements for the Sbc service.
When using SDES key exchange with the Sbc service, an incorrect usage of the SRTP crytography caused the cryptographic context, which includes the rollover counter also known as ROC, to reset at inappropriate times. This does not affect the DTLS-SRTP key exchange.
A new "SRTP preferences" ruleset action was added to configure interoperability parameters.
This ruleset action allows the configuration of the following three parameters:
CryptoModeOnOffer
CryptoModeOnAnswer
CryptoContextBehavior
When this new ruleset action is not added, the default behavior of the Call Agents continues to be:
Both crypto mode (CryptoModeOnOffer/CryptoModeOnAnswer) are set to keep their crypto keys.
By default the crypto context behavior (CryptoContextBehavior) is now set to never reset the cryptographic context.
Important change: If this new default behavior causes audio decryption issue, set the CryptoContextBehavior parameter to "AlwaysReset".
DGW-13785 - SRTP interoperability improvements for the Mipt service.
The Mipt.SessionUpdateCryptoMode parameter was removed and replaced by the following three parameters:
The default behavior of DGW with SRTP streams is not changed.
When an upgrade is performed, the configuration of the oldMipt.SessionUpdateCryptoModeparameter is taken into account and applied to the three new parameters using the following mapping:
Mipt.SessionUpdateCryptoMode
Regenerate
Keep
Mipt.CryptoModeWhenSendingOffer
RegenerateAlways
KeepAlways
Mipt.CryptoModeWhenSendingAnswer
RegenerateAlways
KeepAlways
Mipt.CryptoContextBehavior
ResetAlways
ResetAlways
Note: the CryptoModeWhenSendingOffer and CryptoModeWhenSendingAnswer parameters apply only to the SDES key management protocol. The CryptoContextBehavior parameter applies to both SDES and MIKEY.
DGW-13765 - Add TLS 1.3 support for the Conf, Cwmp and File services.
The Conf, Cwmp and File services now support TLS 1.3.
DGW-13750 - Cannot limit Cwmp service HTTPS provisioning to use only TLS 1.2.
It is now possible tocorrectly limit Cwmp service HTTPS provisioning to only use TLS 1.2 with the parameter Cwmp.TransportHttpsTlsVersion.
DGW-13668 - Support the Strict-Transport-Security header for DGW Web pages as per RFC 6797.
A new Web.HstsHeaderEnable parameter was added to enable the HTTP Strict-Transport-Security (HSTS) header, as described in RFC 6797.
When enabled, this feature prevents users from accessing the DGW Web pages using HTTP, and forces the browser to always communicate using HTTPS.
DGW-13570 - Add two new ECDSA ciphers for TLS 1.2.
The support of ECDSA certificates for TLS 1.2 was improved.
Two new AES cipher suites from RFC 8422 were added:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Copyright Notice
Copyright 2021 Media5 Corporation.
This document contains information that is proprietary to Media5 Corporation.
Media5 Corporation reserves all rights to this document as well as to the Intellectual Property of the document and the technology and know-how that it includes and represents.
This publication cannot be reproduced, neither in whole nor in part, in any form whatsoever, without written prior approval by Media5 Corporation.
Media5 Corporation reserves the right to revise this publication and make changes at any time and without the obligation to notify any person and/or entity of such revisions and/or changes.