Security – Brute Force Prevention

firmware SCALANCE W700 IEEE 802.11n V6.6.0

New functions:

• Security – Brute Force Prevention: Configuration of user-specific Brute Force Prevention (BFP) possible.
• System – configuration: The duration after which a log entry is written to the internal flash memory can be configured.
• System – configuration: Display of the checksum to validate the currently running configuration file.
• Login – first login: The default HTTPS certificate can be replaced by your own HTTPS certificate after the initial login.
• System time – NTP client: Automatic time setting expanded via NTP so that time synchronization via a secure NTP server is possible.
• Load & Save: Private keys for SSH can be loaded into the device and downloaded.
• Factory setting: For devices with factory settings, the F-LED flashes and a corresponding message is displayed before login.

Changes/bug fixes:

• This firmware version includes security fixes and improvements that increase robustness. Upgrading to this firmware version is recommended:
• Correction for SSA-552702: Privilege Escalation Vulnerability in the Web Interface of SCALANCE and RUGGEDCOM Products https://cert-portal.siemens.com/productcert/html/ssa-552702.html
• Security – AAA – Radius client: Support for the Message-Authenticator attribute according to RFC 3579 (SSA-723487 https://cert-portal.siemens.com/productcert/html/ssa-723487.html)
• Adjustments to comply with the European Union's Radio Equipment Directive (RED Directive according to Article 3.3):
• DCP server: In the factory setting, the DCP server is located in the "Read/Setup" setting. This means that as long as the administrator's default password has not been changed, the device parameters can be both read and changed via DCP. Once the default password has been changed, the device parameters can no longer be changed via DCP.
• SNMP: In the factory setting, access via the SNMPv1/V2 protocol is no longer possible.
• DHCPv4: In the factory setting, the DHCP Client Configuration configuration request (opt. 66, 67) is set to "Setup", i.e. the device behaves in the factory setting as with the On option and the function is enabled for all DHCP client interfaces. The following events trigger a change in the status of the device: The first login with the default user profile admin and the associated assignment of a new password. After this, the device is in a secure operating state and functions as if the option were set to Off: The option is disabled for all DHCP client interfaces.
• TLS - Syslog and SMTP: The validity of the certificates can be validated using a TLS Certificate Revocation List (CRL) and a root certificate (root CA), which can be loaded into the device.
• SFTP: The fingerprint of the SFTP server can be specified to authenticate the SFTP server.
• Load & Save: The file with the file type "Debug" can only be downloaded password-protected, i.e. a password must be set before downloading.
• Factory setting: For devices with factory settings, the F-LED flashes and a corresponding message is displayed before login.
• SNMP - SNMPv3: Extension of the SNMPv3 configuration via WBM.
• SNMP - SNMPv3 users: Support of authentication with SHA256 and encryption with AES256.
• Access point - WLAN - channel setting "Auto": Error in "Auto" channel setting in the 5 GHz frequency band fixed.
• The following functions are no longer supported as of V06.06.00:
• iPCF-HT
• iREF
• Aeroscout
• WBM – language: Only English is available as a language for WBM. This means that the help pages are only available in English.
• Information - log tables - event log: A severity can be specified for log messages created manually via CLI.

Known errors:

• Load & Save: When updating the web interface from version 06.05.00 to a higher version (e.g. V06.05.06), the progress bar displays "File load operation failed".
• When downgrading to V06.04.00/V06.04.01, no reset to factory settings is performed.