Lantronix IT Infrastructure Managers Software Release Notes Version 6.3.0.0 October 28, 2016 Copyright 2016, Lantronix Release notes are also available on the Lantronix web site (www.lantronix.com) and via anonymous FTP from ftp.lantronix.com. Contact Lantronix or your reseller for more information. This document describes the Lantronix SLC/SLB firmware release to update firmware release 6.1.0.0 and 6.2.0.0 to release 6.3.0.0. For all releases prior to 6.1.0.0, please update your firmware first to 6.1.0.0, then to 6.3.0.0. =============== RELEASE SUMMARY =============== Current release: 6.3.0.0 ============================= ADDITIONAL PRODUCTS SUPPORTED ============================= V6.3.0.0 supports the SLC8, SLC16, SLC32, and SLC48 Secure Console Managers, and the SLB884, SLB1684 and SLB882 Secure Branch Office Managers. Both PC Card and USB SLC/SLB models are supported. ================= FIRMWARE RELEASES ================= file: slcupdate-db-6.3.0.0.tgz key: 0f1e9065c5ccc7e12b86af6b5e28234d Firmware update file slcupdate-db-6.3.0.0.tgz can be used to update any dual boot SLC or SLB running 6.1.0.0 or 6.2.0.0 to 6.3.0.0. Do not rename the firmware file - it must retain the same filename in order for the firmware upgrade to complete successfully. The firmware can be updated via either the 'Firmware & Configurations' web page, or with the 'admin ftp' and 'admin firmware' CLI commands. Updating firmware via tftp does not use the FTP login, password, or path settings. The firmware update will be applied to the alternate boot bank. This patch cannot be installed on single boot bank SLCs or SLBs. The firmware update will fail with an error when the firmware file is unpacked on a single boot SLC or SLB. This patch cannot be installed on SLCs or SLBs that have only 256MB CF. The firmware update will fail with an error message in the log (i.e. this patch may only be installed on an SLB/SLC with 512MB flash) ============ NEW FEATURES ============ 22231 WebSSH & WebTelnet The Java-based WebSSH and WebTelnet application has been replaced with a non-Java-based application. Refer to the Secure Lantronix Network online help page for tips on how to solve browser issues connecting to WebSSH and WebTelnet sessions. 22420 TLS 1.1 and 1.2 Support Support for Transport Security Layer (TLS) 1.1 and 1.2 has been added. Note for Internet Explorer users: when connecting to the SLC from the IE browser, the browser may fail to connect to the SLC and display "Bad Record MAC" errors. This is due to an incompatible cipher suite list in the IE configuration (for more information, see support.microsoft.com/en-us/kb/3161639). To fix this, update the IE cipher suite to a more secure cipher suite: 1) Press the Windows Key + R to bring up the "Run" dialogue box. Type "gpedit.msc" and click "OK" to launch the Group Policy Editor. 2) On the left hand side, expand Computer Configuration, Administrative Templates, Network, and then click on SSL Configuration Settings. 3) On the right hand side, double click on SSL Cipher Suite Order. 4) By default, the "Not Configured" button is selected. Click on the "Enabled" button to edit your server's Cipher Suites. 5) The SSL Cipher Suites field will fill with text once you click the button. If you want to see what cipher suites your server is currently offering, copy the text from the SSL Cipher Suites field and paste it into Notepad. The text will be in one long, unbroken string. Each of the encryption options is separated by a comma. Putting each option on its own line will make the list easier to read. 6) Modify the list of ciphers (it cannot exceed 1,023 characters). Refer to the list of ciphers in the support.microsoft.com link above, or this one: https://www.grc.com/miscfiles/SChannel_Cipher_Suites.txt 7) Once you have curated your list, format the list for use. Like the original list, your new one needs to be one unbroken string of characters with each cipher separated by a comma. Copy your formatted text and paste it into the SSL Cipher Suites field and click OK. 8) Reboot Windows for the change to take effect. 24287 Upgrade Web SSL Certificate to 2048 bits The default SSL certificate is now 2048 bits. 24288 Option to disable the SSH DSA Keys An option has been added to disable the use of DSA keys for SSH connections to and from the SLC. 24491 Zero Touch Provisioning The Zero Touch Provisioning feature allows a factory defaulted SLC or SLB to acquire a default configuration from a DHCP server and TFTP server when it is booted. At boot-time, before the normal startup process, a unit will attempt to acquire network parameters and a configuration file, first over Eth1, and then over Eth2. See the Firmware & Configurations online help page for more information. 25750 Custom SSL Certificate for Web A custom self-signed certificate can be generated for the web server. Custom self-signed certificates use the SHA256 hashing algorithm and 2048, 3072 or 4096 bits. ========= BUG FIXES ========= 22241 NTP vulnerabilities CVE-2014-9293, CVE-2014-9294, CVE-2014-9295 and CVE-2014-9296 have been fixed (cases 141224-000000, 150109-000026, 150202-000008, 150415-000007, 151211-000026) 22688 Cookie injection vulnerability CVE-2015-1229 has been fixed (case 150324-000004) 22880 NTP monlist vulnerability CVE-2013-5211 has been fixed. (case 151113-000002) 23862 SSH vulnerability CVE-2015-5600 has been fixed. (case 150818-000025) 24507 Changes made on the Web Server web page will set the web server state to disabled, while leaving the web server running (case 160202-000024). 25251 HTTP clickjacking vulnerability CVE-2016-0734 has been fixed. (case 151218-000035) 25753 Allow hostname to begin with a number (case 160129-000009) 25850 Insecure DES and 3DES ciphers (CVE-2016-2183) have been removed from SSL support (case 161004-000025) ========== KNOWN BUGS ========== 1. In the case where Putty is used to access Device Ports, the user will be prompted for login and password even if SSH authentication is disabled for the Device Port. 2. Remote LDAP users cannot use SSHv1 - they will be denied access to the SLC when using SSHv1. 3. The Java WebTelnet application (available from the Secure Lantronix Network web page) is currently unavailable. A fix will be provided in a future firmware release. ==================== DOCUMENTATION ERRATA ==================== None