Available DGW Firmware Versions

Latest DGW Version

Previous DGW Version

Skip to end of metadata
Go to start of metadata

Security Improvement Notes

DGW Application 48.0.2430


Summary

ID Synopsis
DGW-13570 Add two new ECDSA ciphers for TLS 1.2.
DGW-13668 Support the Strict-Transport-Security header for DGW Web pages as per RFC 6797.
DGW-13750 Cannot limit Cwmp service HTTPS provisioning to use only TLS 1.2.
DGW-13765 Add TLS 1.3 support for the Conf, Cwmp and File services.
DGW-13785 SRTP interoperability improvements for the Mipt service.
DGW-13830 SRTP interoperability improvements for the Sbc service.
DGW-13933 Some RTP packets may cause the application to stop responding.
DGW-13963 Protect DGW Web pages against Cross-Site Request Forgery attacks.
DGW-14229 CVE-2021-3449: TLS communications are vulnerable to a Denial of Service (DoS).


Security changes

DGW-14229 - CVE-2021-3449: TLS communications are vulnerable to a Denial of Service (DoS).

An important security flaw was found in the OpenSSL library affecting DGW v46.1, v46.2, v47.0, and, v47.1. If exploited successfully, this vulnerability could cause the unit to reboot unexpectedly.

The OpenSSL library was fixed, addressing CVE-2021-3449.

DGW-13963 - Protect DGW Web pages against Cross-Site Request Forgery attacks.

The following strategies have now been implemented in the DGW Web pages to protect against Cross-Site Request Forgery (CSRF/XSRF) attacks:

  • The SameSite=Lax attribute is included in the cookie.
  • CSRF tokens were added to all forms submissions (POST) and background AJAX requests (GET and POST).

The CSRF protection is always enabled.

DGW-13933 - Some RTP packets may cause the application to stop responding.

When using the DSP codec Bank2, some RTP packets could cause the DSP to stop responding.

Fixed the DSP configuration that caused the problem.

DGW-13830 - SRTP interoperability improvements for the Sbc service.

When using SDES key exchange with the Sbc service, an incorrect usage of the SRTP crytography caused the cryptographic context, which includes the rollover counter also known as ROC, to reset at inappropriate times. This does not affect the DTLS-SRTP key exchange.

A new "SRTP preferences" ruleset action was added to configure interoperability parameters.

This ruleset action allows the configuration of the following three parameters:

  1. CryptoModeOnOffer
  2. CryptoModeOnAnswer
  3. CryptoContextBehavior

When this new ruleset action is not added, the default behavior of the Call Agents continues to be:

  • Both crypto mode (CryptoModeOnOffer/CryptoModeOnAnswer) are set to keep their crypto keys.
  • By default the crypto context behavior (CryptoContextBehavior) is now set to never reset the cryptographic context.

Important change: If this new default behavior causes audio decryption issue, set the CryptoContextBehavior parameter to "AlwaysReset".

DGW-13785 - SRTP interoperability improvements for the Mipt service.

The Mipt.SessionUpdateCryptoMode parameter was removed and replaced by the following three parameters:

  • Mipt.CryptoModeWhenSendingOffer (Default value: RegenerateAlways)
  • Mipt.CryptoModeWhenSendingAnswer (Default value: RegenerateAlways)
  • Mipt.CryptoContextBehavior (Default value: ResetAlways)

The default behavior of DGW with SRTP streams is not changed.

When an upgrade is performed, the configuration of the oldMipt.SessionUpdateCryptoModeparameter is taken into account and applied to the three new parameters using the following mapping:

Mipt.SessionUpdateCryptoMode Regenerate Keep
Mipt.CryptoModeWhenSendingOffer RegenerateAlways KeepAlways
Mipt.CryptoModeWhenSendingAnswer RegenerateAlways KeepAlways
Mipt.CryptoContextBehavior ResetAlways ResetAlways

Note: the CryptoModeWhenSendingOffer and CryptoModeWhenSendingAnswer parameters apply only to the SDES key management protocol. The CryptoContextBehavior parameter applies to both SDES and MIKEY.

DGW-13765 - Add TLS 1.3 support for the Conf, Cwmp and File services.

The Conf, Cwmp and File services now support TLS 1.3.

DGW-13750 - Cannot limit Cwmp service HTTPS provisioning to use only TLS 1.2.

It is now possible tocorrectly limit Cwmp service HTTPS provisioning to only use TLS 1.2 with the parameter Cwmp.TransportHttpsTlsVersion.

DGW-13668 - Support the Strict-Transport-Security header for DGW Web pages as per RFC 6797.

A new Web.HstsHeaderEnable parameter was added to enable the HTTP Strict-Transport-Security (HSTS) header, as described in RFC 6797.

When enabled, this feature prevents users from accessing the DGW Web pages using HTTP, and forces the browser to always communicate using HTTPS.

DGW-13570 - Add two new ECDSA ciphers for TLS 1.2.

The support of ECDSA certificates for TLS 1.2 was improved.

Two new AES cipher suites from RFC 8422 were added:

  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256


Copyright Notice

Copyright 2021 Media5 Corporation.

This document contains information that is proprietary to Media5 Corporation.

Media5 Corporation reserves all rights to this document as well as to the Intellectual Property of the document and the technology and know-how that it includes and represents.

This publication cannot be reproduced, neither in whole nor in part, in any form whatsoever, without written prior approval by Media5 Corporation.

Media5 Corporation reserves the right to revise this publication and make changes at any time and without the obligation to notify any person and/or entity of such revisions and/or changes.

www.media5corp.com