ET-Family Firmware History

This is the firmware revision log for the ET family bridges.

----------

This release corrects the following:

This release corrects a security vulnerability in the web server “CGI-session” authentication method.

The firmware was modified to ignore ICMP timestamp requests on the untrusted interface.

----------

This release corrects the following issues:

This release patches a security vulnerability in the web server “CGI-session” authentication method.

The firmware was modified to ignore ICMP timestamp requests on the untrusted interface.

----------

Web server support for TLS v1.1 has been removed. The web server will now only support TLS v1.2.

A new web server certificate can be generated without the use of a USB flash drive. This will allow users to replace an expired certificate without having physical access to the unit. (Administration - New Web Certificate).

This release corrects the following:

Fix protocol in the terminal server. The telnet protocol inserts a null byte after a single carriage-return character. The null byte should be removed from the data stream before output to a serial port.

Fix blocked-write in the terminal server. An output overflow condition could potentially lockup the terminal server.

----------

This includes addressing the SWEET32 vulnerability in TLS and disabling support for TLS v1.0. The web server will only support TLS v1.1 and v1.2. As a result, users relying on Windows XP to configure the ET-3302 may find that they can no longer connect to the web server.

----------

This includes addressing the SWEET32 vulnerability in TLS and disabling support for TLS v1.0. The web server will only support TLS v1.1 and v1.2. As a result, users relying on Windows XP to configure the ET-6602/6630 may find that they can no longer connect to the web server.

----------

----------

1.0 INTRODUCTION

This release corrects the following:

There was a race condition in the tunnel fail-over feature that could result in a client simultaneously connecting to both the primary and alternate server. Any unit configured with fail-over backup connetions should install this update. This issue was corrected in V2.31, but is being repeated in this notice.

If DHCP is enabled and a DHCP lease is lost, the device would receive a new address, but the DNS requests would continue to be sent using the defunct IP address. This would result in never receiving a DNS reply and failure to resolve a name. This type of failure is likely to occur only when a router, also acting as a DHCP server, goes down for a period of time longer than the DHCP lease.

----------

1.0 INTRODUCTION

This release corrects the following:

There was a race condition in the tunnel fail-over feature that could result in a client simultaneously connecting to both the primary and alternate server. Any unit configured with fail-over backup connetions should install this update. This issue was corrected in V2.31, but is being repeated in this notice.

If DHCP is enabled and a DHCP lease is lost, the device would receive a new address, but the DNS requests would continue to be sent using the defunct IP address. This would result in never receiving a DNS reply and failure to resolve a name. This type of failure is likely to occur only when a router, also acting as a DHCP server, goes down for a period of time longer than the DHCP lease.

This release contains the following modification:

When the unit is reset to defaults, it will generate a new random web certificate instead of using a static default certificate. Even though the end-user can manually generate a certificate, this will insure that each device starts out with a unique certificate.

----------

1.0 INTRODUCTION

This release corrects the following:

There was a race condition in the tunnel fail-over feature that could result in a client simultaneously connecting to both the primary and alternate server. Any unit configured with fail-over backup connetions should install this update. This issue was corrected in V2.31, but is being repeated in this notice.

If DHCP is enabled and a DHCP lease is lost, the device would receive a new address, but the DNS requests would continue to be sent using the defunct IP address. This would result in never receiving a DNS reply and failure to resolve a name. This type of failure is likely to occur only when a router, also acting as a DHCP server, goes down for a period of time longer than the DHCP lease.

NOTE: This release coincides with correcting the flash memory corruption abnormality during the firmware update process for 37 units in the field. Although no firmware modification was required to correct this problem, this release can be used as a marker to determine if the customer should take precaution when installing firmware.

If currently running firmware prior to v2.32, and the unit is in the serial number range 59000999 - 59001036, prior to updating firmware, the "pre" firmware must installed first, then immediately install the standard firmware, without power cycling the unit. The "pre" version is fully functional firmware, so this two-step upgrade process can be performed remotely. If a unit is in this serial number range and this procedure is not followed, the unit may become non-functional during the update.

----------

1.0 INTRODUCTION

This release corrects the following:

There was a race condition in the tunnel fail-over feature that could result in a client simultaneously connecting to both the primary and alternate server. This is a severe problem that could cause a network loop and any customer using the "Alt. Connect to Server" feature should upgrade to this firmware. Any unit configured with fail-over backup connetions should install this update.

A layer-3 firewall was added in front of the Tunnel server port. Since the ET products use TCP for the tunnel connection, nuisance TCP connection attempts to the server are possible and are logged. The layer-3 firewall may be configured to match on source IP addresses and allow or block the connection to minimize extraneous connection attempts. The new feature is found on the "Ethernet Tunnel - Server Firewall" page.

----------

1.0 INTRODUCTION

This release corrects the following:

There was a race condition in the tunnel fail-over feature that could result in a client simultaneously connecting to both the primary and alternate server. This is a severe problem that could cause a network loop and any customer using the "Alt. Connect to Server" feature should upgrade to this firmware. Any unit configured with fail-over backup connetions should install this update.

The remote syslog did not work correctly if LAN1 was configured with a VLAN id.

A layer-3 firewall was added in front of the Tunnel server port. Since the ET products use TCP for the tunnel connection, nuisance TCP connection attempts to the server are possible and are logged. The layer-3 firewall may be configured to match on source IP addresses and allow or block the connection to minimize extraneous connection attempts. The new feature is found on the "Ethernet Tunnel - Server Firewall" page.

The "tunnel nodes" page is now sorted by the username field.

----------

1.0 INTRODUCTION

This release corrects the following:

- error handling daylight saving time when setting the clock

This release adds the following feature:

- support for externally signed SSL web certificates

This release addresses the following newly discovered security issues:

- check web URL parameters for cross-site scripting and hazardous input

- modify the web server to issue "Cache-control no-store" in the header

- modify the web server to issue "404 - Not found" error instead of "403 - forbidden" when browser attempts access to a restricted page

- configure the web server to refuse low and medium strength ciphers

- configure the web server to refuse TLS compression (CRIME vulnerability)

- update openSSL from v0.9.8k to v1.0.2g to address multiple vulnerabilities (eliminate ssl2/ssl3, eliminate insecure renegotiation, POODLE, DROWN)

Note: Previous version, v2.29, was a test release sent to select customers.

----------

1.0 INTRODUCTION

Note: The previous version, v2.27, was a test release.

This release corrects the following:

- Remote syslog did not work across a VLAN.

This release adds the following features:

- Modbus monitoring tool, same feature as implemented on the UT-6602.

- Disabled negotiation of SSLv3 protocol in the web server.

Note: Previous version, v2.27, was a test release sent to a single customer.

----------

1.0 INTRODUCTION

This release adds remote syslog support. The new options are found on the "Administration - Remote Syslog" page. s

----------

ET-3302. V2.25 Release Notes 2/5/2015

1.0 INTRODUCTION

----------

ET-3302. V2.24 Release Notes 1/17/2014

1.0 INTRODUCTION

Adds most features requested by CIPS customers. These include:
- Session type authentication with logout feature. This feature is optionally enabled, otherwise the device will continue to use HTTP basic authentication.
- User defined login banner.
- Optional password enforcements: Minimum length, upper/lower case, special characters, numeric characters, age.
- Status feature to display all open and listening TCP and UDP ports.
- Feature to individual enable/disable each Ethernet port on the LAN1 switch
- Feature to disable the serial setup port.
- Correct a problem with the "Accepted Web Access Source Addresses". Once set, the rules could not be cleared.
- 802.1Q vlan tag/untag for the LAN-1 ports. This feature requires the ET-3302 to have an IP175D switch controller.
- This release includes internal version 2.21 and 2.23 which were not released.

------------

ET-3302 V2.20 4/15/2010

- The primary and secondary DNS server configuration fields were missing from the DHCP Server Configuration form.

------------ ET-3302 V2.19 4/6/2010

- A new option was added to LAN2, named "monitor link". When set to "yes", LAN2 will be monitored for link loss. Whenever link loss is detected, the DHCP client will immediately change to the renew state. This will allow the unit to quickly switch to a new network if the cable is unplugged from one network and moved to another.

- The serial port (setup port) can now be configured for UDP-Serial (Etherpoll compatible) mode or for a TCP-Server mode (EtherPath compatible). When either of these modes are selected, the setup function of the serial port is disabled. Note: In order to quiet the serial port during boot, the older units need to have a new boot loader, v2.26, installed. Customers wishing to quiet the serial port will need to manually install this BIOS or return the unit to DCB for upgrade.

- The unit may be set to temporarily boot to defaults by pressing and holding the setup switch during power-up. The sequence is:

1) apply power, blue (bottom) led will go on then the green (top) led will go on.

2) wait for the green led to go off

3) press and hold the setup switch

4) wait for the green led to blink on then off

5) the switch may be released.

6) the serial port will be in setup mode and the unit can be accesses from the default address

Note) The default settings are not written to permanent memory. The user must store the settings from either the serial port or the web interface.

- Added an option to NTP to force the NTP request to go out a specific LAN interface. This was at the request of a customer.

------------

ET-3302 V2.18 10/27/2008

1.0 INTRODUCTION

This release adds support for a different Integrated Switch IC. We are now using a mix of the C and D revision of the integrated switch IC, and these two devices are not software compatible. This release provides support for the new version. There is no need to upgrade prior versions to this one.

------------

ET-3302 V2.17 10/27/2008

1.0 INTRODUCTION

This release adds the following features:

This release corrects the following"

- The integrated switch did not allow packet switching between the ports, but only between the CPU and the port. The switch is now configured to allow packet switching between the ports.

------------

ET-6602 V2.19 1/24/2011

Internal manufacturing change. No operational effect. ------------

ET-6602 V2.18 6/23/2010

1.0 INTRODUCTION This release corrects the following:

- The ET-6602 was unable to decode a saved configuration file written by the ET-3302. This is a problem for customers that are replacing a ET-3302 server with a ET-6602 server and want to carry the configuration file forward. The ET-6602 was modified to detect and decode the ET-3302 configuration file. ------------

ET-6602 V2.17 4/15/2010

This release corrects the following bug: - The primary and secondary DNS server configuration fields were missing from the DHCP Server Configuration form. ------------

ET-3302 V2.16 9/25/09

This is the initial release of the ET-3302 firmware. The version is starting with v2.16 to show its relationship to the other ET products.

------------

ET-3300, ET-6600, ET6690, ET6601, ET6604, ET6620 V2.15 5/7/2008

1.0 INTRODUCTION

This release adds the following features:

- Non-blocking name resolution. Previously, name resolution would block the operation of the tunnel until name resolution was complete. This was a problem for units running in both client and server mode, or a client running simultaneous connections.

- The number of simultaneous connections as a client was increased from 4 connections to 7 connections.

- An option was added to set the DSCP field in the IP header of tunnel packets. This field is used for QoS processing. The new option is found on the "Tunnel Configuration - Advanced" page.

------------

ET-3300, ET-6600, ET-6690 V2.14 2/11/2008

1.0 INTRODUCTION

This release corrects the following problems:

- The Serial-B CTS input did not function correctly, causing hardware flow control to be stuck in a flow-off condition. This problem was due to adding driver support for the real-time clock in the ET-3300. The CTS input was incorrectly programmed to function as part of the QSPI interface.

- The default setting for the TCP No Delay option was changed to "enable".

------------

ET-6601, ET-6604, ET-6620 V2.13 11/14/2007

1.0 INTRODUCTION

This release adds the following feature:

- Support for a PPPoE connection on Ethernet-B. The ET-6601 will also support a PPPoE connection on Ethernet-C.

Note: When running a PPPoE connection, the ET-3300, ET-6600, and ET-6690 will have a 33% reduction in performance. The ET-6601 and ET-6620 will have a 45% reduction in performance.

------------

ET-6601, ET-6604, ET-6620 V2.12 07/26/2007

1.0 INTRODUCTION

This release adds the following features:

- Added Mesh networking. Any client-to any client.

ET-3300, ET-6600, ET-6601,ET-6604, ET-6620 ET-6690 V2.11 06/05/2007

1.0 INTRODUCTION

This release adds the following features:

- TCP filters were added to the Ethernet Tunnel allowing specific TCP ports to be either blocked or allowed. It also allows the option to block all TCP packets.

- Previously, filters were only applied to packets as they were received on the Ethernet Interface. The option "Filter All Connections" has been added which will cause filters to be applied to all tunnel traffic, regardless of the source.

ET-3300, ET-6600, ET-6601, ET-6690, ET-6604, ET-6620 V2.10 04/11/2007

1.0 INTRODUCTION

Corrected one defect:
- Enabling UDP filters would cause the Block Multi-cast feature to not function.

ET-3300, ET-6600, ET-6601, ET-6690 V2.09 02/27/2007

1.0 INTRODUCTION

This release adds the following features to the firmware:

- Support was added for AES-192 and AES-256 encryption. AES-256 runs approximately 18% slower than AES-128.

ET-6620 V2.09 02/23/2007 ET-6604 V2.09 02/23/2007

1.0 INTRODUCTION

This release adds the following features to the ET-6620/6604 firmware:
- Support was added for AES-192 and AES-256 encryption. With AES-256 there is approximately an 11% decrease in performance however the unit is still able to sustain throughput in excess of 200M-bitps.
- The Ethernet duplex and speed may be forced to 100-full, 100-half, 10-full, or 10-half.

ET-6601 V2.09 02/20/2007

1.0 INTRODUCTION

This release adds the following features to the ET-6601 firmware:

- Support was added for AES-192 and AES-256 encryption. With AES-256 there is approximately an 11% decrease in performance however the unit is still able to sustain throughput in excess of 10M-bits.
- The Ethernet duplex and speed may be forced to 100-full, 100-half, 10-full, or 10-half.

ET-6601 V2.08 10/26/2006

1.0 INTRODUCTION

This is the initial release of the ET-6601 firmware:

ET-3300 V 2.07 6/06/2006
ET-6600 V 2.07 6/06/2006
ET-6604 V 2.07 6/06/2006
ET-6620 V 2.07 6/06/2006
ET-6690 V 2.07 6/06/2006

1.0 INTRODUCTION

This release (which includes the 2.05 and 2.06 changes) adds the following features:

- Support for operation with the Radius enabled version of the ET-6604 and ET-6620. (V2.05)
- Support for user configuration file with multcast channel filters. (V2.06)
- Addition of alternate "Listen-to" port for tunnel server operation. (V2.06)
- Addition of alternate "Connect-to" server and port for tunnel client operation. (V2.06)
- Alias IP address configuration for Ethernet-B, to allow communication with wireless adapter. (V2.07)

ET-3300 V 2.03 12/21/05
ET-6600 V 2.03 12/21/05
ET-6604 V 2.03 12/21/05
ET-6620 V 2.03 12/21/05
ET-6690 V 2.03 12/21/05

1.0 INTRODUCTION

This release corrects the following:

- Error in the IP and UDP filters. If the filter was configured to drop all IP or UDP packets, but no exceptions were set, the filter would not drop all IP or UDP packets.

- The kernel was allocating memory that was reserved for use by the boot-loader. No side-effects were seen from this error in the ET products.

- Several typos were corrected in the web and help screens.

This release adds the following feature:

- Added an option to enable TCP No-Delay on the tunnel connection. Doing so improves real-time performance at the cost of increasing network congestion.

ET-3300 V 2.02 10/12/05
ET-6604 V 2.02 10/12/05
ET-6620 V 2.02 10/12/05
ET-6600 V 2.02 10/12/05
ET-6690 V 2.02 10/12/05

1.0 INTRODUCTION

This release corrects the following:

• The state of the Ethernet-A Activity LED was inverted.
• If DNS resolution failed from the tunnel application, it would not retry.

This release adds the following features:

• The Qualcomm/Globalstar GPS1600 satellite modem was added to the modem list.
• The IP address of the private (Ethernet-A) interface is now visible on the remote network through the encrypted link. This means that the remote tunnel can be managed through the encrypted link.
• A DHCP server can be enabled on Ethernet-A. Because of the previous feature, this means that addresses can be served to the remote network.
• UDP filters have been added to the Ethernet Tunnel configuration. This can be used to block UDP broadcasts. For example, if you don't want DHCP service across the tunnel link, you can block UDP ports 67 and 68.
• A simple Web Proxy has been added which is capable of passing HTTP requests on the private interface (Ethernet-A) to servers on the public interface (Ethernet-B).

-------------

ET-6600 VERSION 2.0 2/8/2005

ET-6690 VERSION 2.0 2/8/2005

1.0 INTRODUCTION

- This release is based on a new uClinux distribution v3.1.1. It upgrades virtually all system and application components. The Linux kernel is version 2.4.24.

- Filtering was added to the Ethernet Tunnel. Users may filter packets based on Ethernet or IP addresses.

ET-6600 VERSION 1.02 11/175/2004

ET-6690 VERSION 1.02 11/17/2004

1.0 INTRODUCTION

This release adds support for bridging 802.1Q tagged VLAN trunks:

- A configuration item was added to the Ethernet Tunnel - Advanced Configuration page that selects between standard or 802.1Q Ethernet.

- A configuration item was added to the Ethernet-A - IP Configuration that allows the user to bind the IP address to a VLAN ID. This is necessary so that the user can access the ET-6600's web server, ping, etc through the 802.1Q trunk. The ET-6600 may only be accesses from the specified VLAN.

- The serial setup program will allow the user to enable 802.1Q operation and set the VLAN ID.

This release corrects the following bugs:

- The IP Address Filters were removed from Ethernet-A, Ethernet-B, Serial-A and Serial-B configuration menus. These were left over from pervious firmware and serve no purpose in the tunnel.

----------

ET-6600 VERSION 1.01 11/05/2004

ET-6690 VERSION 1.01 11/05/2004

1.0 INTRODUCTION

This release corrects the following bugs:

- A race condition between the web server and the configuration utility would sometime cause configuration changes to not take effect. A reboot would be required to activate the changes.

- If a user stored their configuration before activating it, they would see the status message "Configuration not Activated" anytime they reset the hardware.

- The help information for the keep-alive timers was incorrect.

- If a network error happened while a client was connected to a server, and if the client's socket buffer was full at the time, the client would not be able to initiate a new connection with the server.

- If the socket buffer became full on a Ethernet packet boundry, the following write to the socket buffer would be corrupt and cause a protocol error between the bridges. The bridges would recover, but would report a security warning.

This release adds the following features:

- The maximum number of clients that a server can support was increased to 8.

- The Tunnel Configuration web page was split into two pages. The new page is called "Advanced Tunnel Configuration" and will contain the items that a user will not normally need to modify. The keep-alive timers were moved to this page.

- An option was added that allows the user to disable Ethernet address learning. This option is useful when using the tunnels to do remote network analysis.

- An option was added that allows the user to set the size of the TCP send socket buffer. This can be used to limit the amount of Ethernet data buffered for a remote tunnel.

- A metric was added to the Tunnel Nodes page showing the number of outbound Ethernet packets dropped due to the TCP send buffer being full.

- The tunneling software was modified to detect if the outbound TCP connection has become overloaded for an excessive amount of time. When an overload is detected the software will stop bridging packets over that connection until the outbound queue has cleared. Without this feature, fixed-time polling protocols can perpetually clog a link.

- An option was added that allows the user to disable encryption.

- An optional encryption method was added based on the ISAAC pseudo-random number generator. It runs approximately 3 times faster than AES yielding about 2M bits throughput.

- The Initialization Vectors for AES encryption are generated from the ISAAC pseudo-random number generator instead of random number generator in the standard library.

- When entering passphrases, they will be echoed as clear text. However, when re-displayed, they will show as "***".

----------

ET-6690 VERSION 1.00 10/15/2004

1.0 INTRODUCTION

Initial public release.

----------

ET-6600 VERSION 1.00

1.0 INTRODUCTION

Initial public release.

Data Comm for Business Inc. 2949 County Road 1000 E Dewey, Il 61840	Voice: 217-897-6600 Toll Free: 800-4-DCB-NET Toll Free: 800-432-2638	Email: Contact Page Web: www.dcbnet.com Fax: 217-897-8023
All DCB web pages copyright ©1995- Data Comm for Business, All rights reserved. EtherPath®, EtherSeries®, EtherPoll®, EtherBridge® and EtherModem® are Registered Trademarks of Data Comm for Business, Inc.