FNGi statement on DHCPatriot Systems vulnerability to CVE-2014-6271 and CVE-2014-7169 (aka Shellshock): National Vulnerability Database: CVE-2014-6271 and CVE-2014-7169

1. When unsuspending a user device in Auth DHCP Actions -> Suspend User, the limit displayed entries was not saved during the unsuspend process. This has been corrected and list limits are now remembered as user devices are unsuspended.
2. IPv6 logins to the web administration interface were impossible. This was traced to storage of the remote IP address being to small. The size has been increased so that it can store IPv6 addresses. The DHCPatriot system can now be administered from an IPv6 address.
3. Discovered that there was a problem where sometimes cron would no longer rotate logs or database files until it was restarted. Cron now restarts once per day to avoid this situation.
4. Both IPv4 and IPv6 versions of Firewall setup under System Configuration now support assigning several services to an IP address simultaneously. Previously you had to repeat the process several times to open the firewall for more than one service to a specific IP or subnet.
5. IPv6 Ping and Trace route are now supported in the web administration interface as well as the CLI admin menu. Options 12 and 13 are ping6 and trace6 respectively. Reboot and shutdown have moved to options 14 and 15 respectively.
6. API: Unsuspending via the API can now perform a RADIUS authentication check as the web administration interface does if the parameter AuthTest=true is passed to the API. Example: https://patriot.network1.net/cli/? function=SuspendEnable&username=apiuser&password=apip ass&action=unsuspend&user=bobaaron&AuthTest=true
7. API: StickyIP ADD: It is now possible to add a sticky IP via the API by using a URL of the following format: https://patriot.network1.net/cli/? username=&password=&function=StickyIPs&action=ADD&Stic kymac=&Stickyusername=&Stickyip=&Stickynote=
8. API: StickyIP DELETE: It is now possible to delete a sticky IP via the API by using a URL of the following format: https://patriot.network1.net/cli/? username=&password=&function=StickyIPs&action=DELETE& Stickymac=&Stickyusername=
9. API: StickyIP LIST: It is now possible to list sticky IP assignments via the API by using a URL of the following format: https://patriot.network1.net/cli/? username=&password=&function=StickyIPs&action=LIST An XML list is returned.
10. API: Its now possible to authenticate a user device using the current pre-auth IP address of the device by using the parameter ip= in place of the MAC= parameter as in this example: https://patriot.network1.net/cli/? username=&password=&function=AuthorizeCustomer&user= exampleuser&pass=examplepass&ip=exampleip
11. API: A new api call has been added to find authenticated devices. This is accessed in the same way as the rest of the API and returns results in XML format. All authenticated devices may be returned, or the search may be limited. The URL should have the following format: https://patriot.network1.net/cli/? function=SearchAuthDevices&username=&password=@&mac =&AdminNote=&user=&ShowOnlyOnline= (TRUE)&AddressType=(STATIC/DYNAMIC)
12. Default DNS servers (when a DHCPatriot has first been installed but not yet configured) have been changed to 8.8.8.8 and 8.8.4.4.
13. It is now possible to exclude a range of IP addresses in Auth DHCP Config -> Exclude IP Address in the GUI.
14. There is a new list that can be maintained in Auth DHCP Config -> Deny MAC Address as well as Standard DHCP Config -> Deny MAC Address. This list prevents mac addresses entered within from getting an IP address.
15. The DHCPatriot no longer prevents authentication if there is a current authenticated lease for the device. The reason it did this in the first place was to prevent sim-use violations. Logic dictates that the device is already suspend however, so there really wasn`t a reason to prevent authentication. Authentication still isn`t allowed if the device is a valid authenticated device that is not suspended.
16. It is now possible to delete suspended devices that do not currently have an IP address in View Authenticated Users.
17. Optional lease length overrides have been added to the dynamic subnets in standard and authenticated. This allows an administrator to set a different lease length for a certain dynamic subnet for maintenance purposes or whatever reason.
18. OpenSSL has been updated to fix the somewhat obscure security issue reported in: http://www.openssl.org/news/secadv_20140605.txt
19. A feature has been added that lets an admin add DHCP configs to the pool {} statement. This is needed by some customers to replicate custom ISC DHCP configs in specific environments.
20. A new feature called Built-in Authentication: User Import under Auth DHCP Actions allows the import of a list of users using a comma separated value (CSV) file upload in a specific format.
21. A new feature called Device Import under Auth DHCP Actions allows the import of a list of authenticated devices using a comma separated value (CSV) file upload in a specific format.
22. Repaired a problem where the Request Assistance under Main linked to a non-existant page.
23. Captive portal protection has gained the ability for the administrator to supply their own page to be used to protect the DHCPatriot from automated programs that use web. A new setting box appears in System Configuration -> General Setup allowing an administrator to supply their own HTML for the protection page if they don`t want to use the math problem.
24. It was discovered that Internet Explorer was not following the 404 redirect on the DHCPatriot. Instead of showing the login page, it would show an Internet Explorer specific "Webpage not found" error page. This meant that if the home page of the user was set to something like http://www.sony.com/ps4 that instead of redirecting back to the login page, the user would get an Internet Explorer generated error page that looked similar to the "page cannot be displayed" error page. We have taken steps to rectify this and Internet Explorer is now being properly redirected to the login page.
25. Keepalive with one second timeout has been enabled on the DHCPatriot system web server. This affects the login page as well as the admin interface.

1. Repaired a problem where the built-in authentication would fail under certain circumstances where the database was restarted. Built-in authentication would previously fail to reconnect to the database for a time after the restart. This would result in users being denied access. Built-in authentication now correctly reconnects to the database.
2. Repaired a permissions problem that prevented viewing of the online manual directly from the DHCPatriot system. The manual is now viewable. It also is always available at our website: www.network1.net
3. The counts on view address usage and corresponding graphs were a bit nonsensical since the 5.3.0 patch that removed static, sticky, and excluded IPs from the counts. The following changes have been made so that the counts are better. Static network total counts are not decreased no matter what you do. Dynamic counts are decreased by excluded, sticky, and static (RADIUS) entries. However, previously it was decreasing the total count for multiple entries. It now only decreases once per IP no matter how many times you enter it in those tables and how many tables it is in. If the IP is in use, it is not decreased from the total.
4. The RADIUS Alive packet [Acct-Status-Type -> interim-update] had a problem where the username was not available at the time of queuing the event. It would use the last username in memory (or possibly no username if there wasn`t one in memory). The only time the username was correct was when the last RADIUS communication was about the same user who was now getting an interim-update. This has been repaired.
5. NTP changes have been made. Configuration options have been put in place to prevent a certain type of DoS attack. Also - the time server should provide time faster to clients now.
6. Changes to static assignment in the standard DHCP have been made. Previously, we used a pool based method of assigning static IPs within standard DHCP. When an assignment was made via option 82 and the equipment was subsequently changed, there was a chance that the static IP assignment would be unavailable until the previous equipment`s lease expired. This has been changed. The lease is now immediately available. Side affects of this are that lease length settings are now ignored by standard static assignments and are now twelve hours long regardless of the settings for the shared networks. Also, option 82 data is no longer logged in the DHCP logs for these standard DHCP static assignments. Clicking the 82 for any standard static assignment based sessions in Standard DHCP Reports -> Search Sessions will say `Not Available` as well. We felt the detrimental effects of these limitations were outweighed by the benefit of being able to immediately swap out equipment and have the static IP address assignment applied straight away.

DHCPatriot 5.3.0 has been released.

1. Floating IP (VRRP) implemented. It is now possible to add a third IP address to the DHCPatriot system that will float between the two devices. This IP address should be used with the captive portal page and possibly as the destination address when administrating the machine. Restrictions to using VRRP are that the DHCPatriot system devices must both be in the same subnet and the floating IP must be in that same subnet as well.
2. Optional simple page for protecting the database from being accessed by pre-auth / unauthenticated automated clients such as weatherbug. This page asks a simple math problem before proceeding to the actual authentication page for pre-auth users. The page has no images and no database access. Automated clients such as weatherbug will not answer the question and proceed to the login page. Users attempting to authenticate on the network will answer the question and proceed. Thusly, when a large load of unauthenticated devices is encountered, this page will prevent automated port 80 access from crippling the DHCPatriot system.
3. CLI user was changed to be API user in the administrators configuration to prevent future confusion.
4. Fixed a problem with the TFTP File Maintenance where if two files were exactly the same, then the MD5 hash would match causing the delete and show file functions to possibly show or delete the wrong file. I repaired this by using the file name as the key instead.
5. Fixed a problem with auto-generated forms where previously executed delete commands would try to execute again if using next, back, first, last, or show all as well as when using limit displayed entries.
6. in the config menu, if a ipv6 address was entered without the CIDR at the end, such as 2620:0:2e50:e4::226 instead of 2620:0:2e50:e4::226/64 it would not assume 64 and would not complain. This caused the address settings for IPv6 not to work. It now assumes a prefix of 64 if none was entered.
7. View address usage and usage graphs now decrement the number of available IPs for excluded IPs, sticky IPs and static IPs. The count of available addresses is decreased by 1 for each of these type of IP exclusions or assignments that fall within the subnet. If the IP is currently in use, the available address count is not reduced for that IP address.
8. Leading and trailing white space will now be trimmed from form input. This should help with copy/paste situations. Presently these characters are removed: space, tab, new line, carriage return, NUL-byte and vertical tab.
9. Smartmon tools (www.smartmontools.org) have been added to the DHCPatriot system. We can use these tools to better diagnose potential hard drive problems in the field.
10. ISC DHCP 4.2.5-P1 has been installed.
11. Idle time out on Administration interface increased to 10 hours. Previously it was 4 hours. Some people would have the interface timeout throughout the day.
12. Log entries from dhcp devices that are talking more frequently than once per second will now have their logs ignored. Entries will only be recorded once per second. Any more than that is not useful information as seconds is the resolution of the DHCP lease. This further increases the level of performance.
13. The DHCPatriot now verifies RADIUS credentials before an "unsuspend" is performed in Auth DHCP Actions->Suspend User. This will prevent confusion in customer service as well as help customers to have a better experience. Previously, it was possible to "unsuspend" a user when their stored password did not match, or they were disabled on the RADIUS server. This created some confusion and customer callbacks that will not be avoided.
14. It is now possible to delete RADIUS assigned static IP addresses. They are shown in the same list as the Sticky IP assignments. The delete link is functional and will remove them. Keep in mind that if they are still assigned to the user in RADIUS that they will likely reappear at some point in the future.
15. Sticky IPs now work in the standard DHCP without being an authenticated MAC address. Previously, unless the mac belonged to a valid authenticated user, the sticky IP would not function even if it was a standard sticky IP. This has been fixed.
16. It is now possible to suspend individual devices by the MAC address via the remote access API.
17. Option 82 information can now be searched under Auth DHCP Reports -> Search Session as well as Standard DHCP Reports -> Search Sessions. Please note that searching by option 82 may signicantly increase the duration to receive results. This is especially true of high traffic systems.
18. RADIUS Alive packet [Acct-Status-Type -> interim-update] now supported. Turning this setting on in System Configuration -> General Setup will cause the DHCPatriot system to send an Alive packet each time the lease is renewed. This could be problematic on systems with many broken devices sending lots of renews rapidly. We will keep an eye on this situation and evaluate if some per-second limit needs to be implemented at some point in the future.
19. A long standing problem with system stability was found and repaired. The DHCPatriot system should now have no problem booting back up succesfully during software installs. Previously, occasionally during an update the system would fail to boot properly requiring a physical power cycle.
20. Forwarding of RADIUS accounting packets to one or more arbitrary destinations has been added. A new type of server (AFOR) has been added to the authentication setup. The DHCPatriot does not wait for an accounting response with these types of destinations. This feature can be used for sending accounting data to Sandvine or Procera traffic shapers or various CALEA devices, for example.
21. Scripted mass adding of standard DHCP static IP assignments is now possible. Access this functionality via Standard DHCP Actions -> Static IP Assignment and then clicking on: `If you wish to add multiple entries using scripted parameters, click here`. Follow the onscreen instructions to easily add as many entries or as few as you need.
22. Corrected a problem where if Option82 information was received that contained a single quote (`) that would cause a problem with writing to the database. Option 82 information received via DHCP is now sanatized before being written to the db.
23. Corrected a problem where if more than one device existed for a username and the either had a sticky address by username or a static address assigned by RADIUS, only one random device would effectively be assigned to the address. Now all devices that should be assigned to the address are assigned to it correctly.

1. Added hardware support for the 2013-1 model of DHCPatriot system.
2. Gave space on startup to launching programs so that they don`t all launch simultaneously. This should help with some freeze-up on startup problems.
3. Added diagnostic software that will allow us to access hardware information in the field.
4. Repaired a problem where if both circuit and remote ids were provided in option 82, the remote-id was not recorded.
5. Repaired a problem that could cause the daily cron tasks to possibly hang and therefore not run the next day.
6. When DHCP log storage gets to large, it can cause slowdowns and problems on the DHCPatriot. A watchdog has been introduced to clean the logs if they get to large. * Please note that this refers to logs not session information, in other words the transitory information used for troubleshooting someone`s DHCP problems, not the storage of what IP address was used by whom at what time *
7. Added extra information to the log file when an invalid DHCP event is encountered so that we may find the offending event and remove it.