Current Release - Version 3.5.0.24

These Release Notes are for CBS Product Line Version 3.5.0.24 release. The CBS Product Line supports the following Product lines: CBS250, CBS250-4X, CBS350, CBS350-4X (stacking) and 10-Gigabit CBS350 modules.

General Note – Downgrading to version 3.1.1.7 or Lower

When attempting to downgrade from Version 3.2.0.84 (or later) to version 3.1.1.7 or lower, the device startup configuration will be deleted as part of the downgrade operation. User will be alerted to this behavior when attempting to boot from an image lower than Version 3.2.0.84. It is highly recommended to backup the device configuration file before performing the downgrade and load the saved configuration file to the device after the downgrade was completed.

Changes to the RADIUS Client Behavior

The main functionality added to this version are changes to the device RADIUS client behavior. These changes were made to address the MD5 vulnerability reported in CVE-2024-3596. This section provides information on this vulnerability and the changes that are made to the device behavior to address the vulnerability.

The attack that is detailed in CVE-2024-3596 exploits the inherent weakness of the MD5 algorithm that is used by the RADIUS protocol (Based on RFC 2865).

The successful execution of this attack may result in a compromise of the RADIUS packet exchange between the switch acting as a RADIUS client, and the RADIUS server. At the extreme exploitation of this vulnerability, the attacker gains the ability to authenticate or authorize any user.

Currently, the attack is not possible if all the messages (RADIUS requests and RADIUS responses) exchanged between the switch and the RADIUS server include the Message-Authenticator attribute (type 80).

Note	To exploit the attack, the attacker must use a high CPU power computer and physical access to the user network.

RFC 2869 defines that the Message-Authenticator attribute is mandatory for RADIUS exchanges that contain an EAP-Message attribute (type 79). On the CBS The following applications do not contain an EAP-Message attribute, and are therefore vulnerable to this attack:

• Management Login access (AAA authentication) – which is always based on RADIUS (and not EAP).

• 8021.x MAC-based authentication (MAB) using the RADIUS authentication method (command dot1x mac-auth RADIUS).

802.1x authentication and MAC-based authentication (MAB) using the EAP method (command dot1x mac-auth EAP – which is the default configuration), are not vulnerable to this attack. The RADIUS requests that in these applications contain the EAP-Message attribute, and the device also verifies that the RADIUS responses include this attribute and that it is valid.

Changes to the Device Behavior

To prevent the exploitation of vulnerabilities the following changes were implemented in the CBS 3.5.0.x release. Their purpose is to ensure that the Message-Authenticator attribute is included in all RADIUS packets:

• The Message-Authenticator attribute is included in all RADIUS request packets – including AAA authentication and 802.1x MAC-based authentication (MAB) using the RADIUS authentication method.

• The Message-Authenticator attribute is included as the 1st attribute in the RADIUS request packet. This is also implemented for 802.1x authentication and MAC-based authentication (MAB) using the EAP method.

• A new setting was added to this release - The user can define that the Message-Authenticator is mandatory for all RADIUS responses and not only for RADIUS responses that contain the EAP-Message attribute. RADIUS responses that do not include this attribute (or that the authenticator is not valid) will be dropped. By default the Message-Authenticator is mandatory only for RADIUS responses that contain the EAP-Message attribute.

  Note

  The reason this setting is optional and disabled by default, is to allow compatibility with existing RADIUS server behavior. According to RFC 2869 the Message-Authenticator is not mandatory in RADIUS responses that do not contain the EAP-Message attribute. Therefore, unless the RADIUS request contains the EAP-Message attribute, many RADIUS servers will not include a Message-Authenticator attribute in the response even if the RADIUS request included the Message-Authenticator. In the future, when RADIUS server behavior will be modified to include the Message-Authenticator attribute in all responses (to address this vulnerability), this behavior may be enabled by default or even mandatory.

New CLI Commands

• The following CLI command was added to the device to enable/disable mandatory Message-Authenticator attribute in all RADIUS responses: “radius-server force-message-authenticator host {ip-address | hostname}”.

  The default is disabled.

• The “show radius-servers” command was updated to display whether the setting is enabled or disabled.

For mode details on the usage of the commands, see the CBS 3.5 CLI guide.

This setting is not supported in the device GUI management interface.

Changes in This Version Related to CBD

The following changes were added to this version:

• CBD network Probe version that is upgraded to version 2.9.0.20240823.

• Added CBD probe mode information to CLI Operational status field (“show cbd” command) and Probe Status GUI field. The probe mode is relevant only when the probe is active. The following probe modes are displayed.

  • Probe Managed- The Probe performs network discovery and communicates directly with each managed device on behalf of the Dashboard.

  • Direct Managed- Direct managed devices will discover other devices in the broader network and connect those devices to the Dashboard automatically than those devices become manageable.

Changes to the Password Complexity Settings

The following changes were made to existing passwords complexity settings:

In the previous versions, when comparing the new passwords to the list of dictionary words and common passwords, the configured password would be rejected also in the following cases:

1. The word in the list appears in any part of the password (beginning, middle, or end).

2. The word in the list appears in reverse order in the password.

3. The word in the list appears in the password in any case (lower or uppercase) combination.

4. When comparing, the following letters are interchangeable: "$" for "s", "@" for "a", "0" for "o", "1" for "l", "!" for "i", "3" for "e", is not permitted. For example, Pa$$w0rd is not permitted.

As of CBS version 3.5, the rules for comparison were narrowed as follows:

1. The new password does not match and does not begin with a word included in the list (removed the “contained” requirement).

2. The word in the list appears in the password in any case (lower or uppercase) combination.

All the other requirements were dropped.

In the previous versions, when rejecting a password that contains more than 2 sequential characters, the configured password would be rejected also in the following cases:

1. Letters are case insensitive.

2. Reverse sequence.

3. Sequence that is created by replacing the following letters with symbols: "$" for "s", "@" for "a", "0" for "o", "1" for "l", "!" for "i", "3" for "e".

As CBS version 3.5, only the case insensitive requirement remains. The other requirements were dropped.

Current Release - Version 3.4.0.17

Cisco Business Switches Product Line Version 3.4.0.17 on top of the features supported in version 3.3.0.x.

GUI – Added links to Virtual Assistance and Cisco Business Dashboard (CBD) Product Web Page

Added in GUI to the Virtual Assistance and to the CBD Product Web page:

• As icons on the Mast page.

• As Other Resources hyperlinks on the Getting Started page.

CBD Probe Version

The CBD probe version was updated to 2.6.1.20231011 (from version 2.6.0.20230314 in release 3.3.

OpenSSL Version Upgrade

OpenSSL version was upgraded to version OpenSSL 1.1.1w (from version OpenSSL 1.1.1q in release 3.3).

Updates TLS Ciphers List

The following CBC based ciphers are no longer supported in release 3.4

• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

• TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

• TLS_RSA_WITH_AES_256_CBC_SHA256

• TLS_RSA_WITH_AES_256_CBC_SHA

• TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

• TLS_RSA_WITH_AES_128_CBC_SHA

Therefore the list of supported ciphers in release 3.4 is:

TLS 1.2 ciphers:

• TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1)

• TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1)

• TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (secp256r1)

• TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 3072)

• TLS_AES_256_GCM_SHA384

• TLS_CHACHA20_POLY1305_SHA256

• TLS_AES_128_GCM_SHA256

TLS 1.3 ciphers:

• TLS_AES_128_GCM_SHA256

• TLS_CHACHA20_POLY1305_SHA256

• TLS_AES_256_GCM_SHA384

CBD Probe Version

Cisco Business Dashboard (CBD) Probe version was upgraded in this release to version 2.6.0.20230314 (upgraded from version 2.4.1.20220225 supported in CBS release 3.2.x.x. This CBD version includes bug fixes and the new functionalities detailed in the next items:

CBD - Organization and Network Name Parameters

Up until CBS release 3.2.x.x (inclusive) the user was required to define the following 2 parameters in order to allow the connection to the Dashboard:

• CBD Organization Name

• CBD Network Name

The above two parameters are no longer required as of CBS version 3.3.x.x and are thus removed from the device CLI and the graphical user interface (GUI).

If the user upgrades from a CBS version 3.2.x.x (or earlier) to version 3.3.x.x (or higher) the above 2 parameters will be removed from the configuration file.

Note	This section is relevant both to manual “traditional” connection to Dashboard and connection using the CBD Wizard (See following section).

CBD Wizard

Up until CBS release 3.2.x.x (inclusive) prior to connecting the device to the Dashboard, the user was required to do the following:

• Pre-register the device with the CBD services (including device PID and SN).

• Install a root CA certificate on the switch.

• Configure on the device an Access Key ID and secret.

In CBS release 3.3, the user has an option to manually perform the above, or to use a CBD Wizard to simplify the connection and registration to the CBD server. The CBD Wizard is supported only via GUI.

Connection steps, using the wizard are as follows:

• Navigate to the following page: Administration > Cisco Business Dashboard Settings.

• Enable the Dashboard Connection and configure the address (IP/host) and port of the Dashboard.

• Select Online with Web Browser to use the Wizard to configure the connection to the Dashboard.

• Once process is completed and approve by the user, the Dashboard updates the switch with the relevant CA root certificate and CBD access key.

1.1 Default IP Settings on Devices that Support OOB

On previous versions, the default management interface, on devices that support OOB in native mode, was applied to the OOB port and not on the default VLAN. In Hybrid mode default IP management interface is applied to VLAN 1 and OOB is disabled. From this version and on, the default management interface is applied to VLAN 1, even on devices in native mode that support OOB. The OOB interface, in new behavior, will be DCHP enabled by default in native mode, and will not support the default IP settings. In Hybrid mode OOB will be disabled, as in previous version.

The following table summarizes VLAN 1 and OOB default IP setting before and after the change applied in version 3.1.1.7

Note	When upgrading or downgrading between previous and current version the intention is to keep existing configuration unless device is set to factory default. Please note configuration before and after upgrade/downgrade operation and verify configuration.

Note	Refrain from changing stacking mode when upgrading to new version. The new settings may be different then expected. If a change of mode is needed, first change the mode and then upgrade the stack.

1.2 Updated Cisco Trusted Core Bundle

The 3.1.1.7 firmware uses the Cisco core bundle.

1.3 New PoE Driver

New PoE driver version 0.2.0.17.

1.1 Enhancements

The following list introduces the changes and enhancements featured in this release.

• RIPv2 support on CBS350 SKUs

• CA certificates are valid only if system clock was set by user, RTC or SNTP.

• Hybrid stack support was added to CBS350 stacking SKUs

• Naming of stacking unit roles was changed to Active Unit, Standby Unit and Member Unit

• CBD Probe version 2.2.1.x

1.1 Browser and OS Support

The device web UI supports the following browsers and OS system:

• Supported OS – MS Windows 7 (32 & 64 bit), MS Windows 10 (32 & 64 bit), MAC OS (not supported: MS Windows 8, 8.1, XP and Vista; Linux)

• Supported Browsers – Chrome, Firefox and Microsoft Edge (Microsoft Internet Explorer not supported) – both for Windows and for MAC OS; Safari – MAC OS only .

1.2 Web GUI Style

The CBS 3.0 uses a new GUI style which is the PISA compliant.

1.3 Password Complexity

For enhanced security, the user does not have the option to disable the password complexity setting. The password complexity is supported with the following default and ranges:

• Min-length – range 8-64, default = 8

• Min-class – range 1-4, default = 3

• No-repeat – range 1-16, default = 3

• Not-current/not-username/not manufacturer = are always enabled

1.4 SSL Cipher Support

For enhanced security, support for the following Ciphers was removed:

• RSA_WITH_AES_128_CBC_SHA256;

• RSA_WITH_AES_128_GCM_SHA256;

• RSA_WITH_AES_128_CCM_8;

• RSA_WITH_AES_256_CCM_8

1.5 SSL Cipher Support

OpenSSL version upgraded from 1.1.0b to 1.1.0l (Lower case L).

1.6 Console Support

Both RJ45 and mini-USB console are supported on CBS350 and CBS250 switch models listed in this release note. The mini-USB has precedence.

1.7 Password Encryption

In the previous version, the user’s credentials were saved to the config file and displayed using SHA-1 hash algorithm. In the current release, the user’s credentials are salted and hashed using PBKDF2 based on HMAC-SHA-512 hash. This adds additional security to the credentials and protects them from various attacks.

Relevant credentials:

• Local database password

• Enable password

• Line password

1.8 Self-Signed Certificate Lifetime

To enhance security, the default and supported validity of the device self signed certificate are changed:

• Validity Range: 30 days to 1095 days (i.e. 3 years); was 30 days to 10 years

• Default = 730 days (i.e 2 years); was 1 year

1.9 Real Time Clock

SKUs in this release support have an internal self-sufficient Real Time Clock (RTC) component that keeps time even when the device is shut down and not connected to a power source. This internal clock is initialized during manufacturing and can be updated by the time features of the device when the software clock is set (for example manually or via SNTP).

In a stack configuration – all units will sync with the master unit RTC. For more details on stack behavior see functional spec. Note: future releases of CBS may contain SKUs that do not support RTC – in this case a different unit (not the master) will be used as the system time source.

RTC is considered “reliable” for features that require a “reliable” time source: Time range settings; updating IP DHCP Snooping Database and scheduled reboot.

1.10 PNP Agent Enhancements

CBS 3.0 supports the configuration of HTTPS as 1st choice” transport protocol. Tesla 2.5.5 supported only HTTP as 1st choice transport protocol.

1.11 Stack Unit ID Indication

The stacking SKUs in this release do not support dedicated stacking LED(s). Therefore the system LED is used on these units to indicate stack unit ID, as follows:

• Active unit – system LED will remain solid green (unless device is in bootup phase, or there is a HW fault or device is not connected to the power)

• For member units - following completion of bootup phase and connection to the master unit, every 20 seconds the System LED will blink green according to unit ID of the member unit:

  • Unit 1 (if not active) – system LED will blink 1 time;

  • Unit 2 (if not active) – system LED will blink 2 times;

• Unit 3 – system LED will blink 3 times;

• Unit 4 – system LED will blink 4 times;

Note	Note: SKUs added in following releases may support dedicated stacking LEDs.

1.12 Online Help (OLH) and Language File

Version 3.0.0.69 includes multiple fixes to OLH files. It also supports Chinese and Japanese language files.

1.13 CBD Probe Version 2.2.0.20200801

In version 3.0.0.69 the CBD Probe was upgraded to version 2.2.0.20200801.

1.1 Browser and OS Support

The device web UI supports the following browsers and OS system:

• Supported OS – MS Windows 7 (32 & 64 bit), MS Windows 10 (32 & 64 bit), MAC OS (not supported: MS Windows 8, 8.1, XP and Vista; Linux)

• Supported Browsers – Chrome, Firefox and Microsoft Edge (Microsoft Internet Explorer not supported) – both for Windows and for MAC OS; Safari – MAC OS only.

1.2 Web GUI Style

The CBS 3.0 uses a new GUI style which is the PISA compliant.

1.3 Password Complexity

For enhanced security, the user does not have the option to disable the password complexity setting. The password complexity is supported with the following default and ranges:

• Min-length – range 8-64, default = 8

• Min-class – range 1-4, default = 3

• No-repeat – range 1-16, default = 3

• Not-current/not-username/not manufacturer = are always enabled

1.4 SSL Cipher Support

For enhanced security, support for the following Ciphers was removed:

• RSA_WITH_AES_128_CBC_SHA256;

• RSA_WITH_AES_128_GCM_SHA256;

• RSA_WITH_AES_128_CCM_8;

• RSA_WITH_AES_256_CCM_8

1.5 SSL Cipher Support

OpenSSL version upgraded from 1.1.0b to 1.1.0l (Lower case L).

1.6 Console Support

The following changes were introduced to the console support:.

• SKUs in this release support both the RJ45 and mini USB console – mini USB has precedence.

• CBS250 SKUs support console interface (In Tesla Product line the 250 SKUs did not support a console interface).

Note	Console support relates only to the SKUs in this release. SKUs in following releases support a single RJ45 interface, and the 250 product line SKUs do not support console.

1.7 Password Encryption

In the previous version, the user’s credentials were saved to the config file and displayed using SHA-1 hash algorithm. In the current release, the user’s credentials are salted and hashed using PBKDF2 based on HMAC-SHA-512 hash. This adds additional security to the credentials and protects them from various attacks.

Relevant credentials:

• Local database password

• Enable password

• Line password

1.8 Self-Signed Certificate Lifetime

To enhance security, the default and supported validity of the device self signed certificate are changed:

• Validity Range: 30 days to 1095 days (i.e. 3 years); was 30 days to 10 years.

• Default = 730 days (i.e 2 years); was 1 year.

1.9 Real Time Clock

SKUs in this release support have an internal self-sufficient Real Time Clock (RTC) component that keeps time even when the device is shut down and not connected to a power source. This internal clock is initialized during manufacturing and can be updated by the time features of the device when the software clock is set (for example manually or via SNTP).

In a stack configuration – all units will sync with the master unit RTC. For more details on stack behavior see functional spec. Note: future releases of CBS may contain SKUs that do not support RTC – in this case a different unit (not the master) will be used as the system time source.

RTC is considered “reliable” for features that require a “reliable” time source: Time range settings; updating IP DHCP Snooping Database and scheduled reboot.

1.10 PNP Agent Enhancements

CBS 3.0 supports the configuration of HTTPS as 1st choice” transport protocol. Tesla 2.5.5 supported only HTTP as 1st choice transport protocol.

1.11 Stack Unit ID Indication

The stacking SKUs in this release do not support dedicated stacking LED(s). Therefore the system LED is used on these units to indicate stack unit ID, as follows:

• Active unit – system LED will remain solid green (unless device is in bootup phase, or there is a HW fault or device is not connected to the power).

• For member units - following completion of bootup phase and connection to the master unit, every 20 seconds the System LED will blink green according to unit ID of the member unit:

  • Unit 1 (if not active) – system LED will blink 1 time;

  • Unit 2 (if not active) – system LED will blink 2 times;

• Unit 3 – system LED will blink 3 times;

• Unit 4 – system LED will blink 4 times;

Note	Note: SKUs added in following releases may support dedicated stacking LEDs.