Summary

The DX client for DAL did not verify the TLS server identity when sending beacon messages during long-running operations or when downloading firmware files.

Firmware downloads were content-addressed and verified against SHA256 checksums delivered over the client’s main control channel, which does verify the TLS server identity. Firmware delivery was therefore not affected.

Beacon messages report the progress of long-running operations (firmware and client updates) back to the server and had no equivalent integrity check. An attacker able to intercept these connections could read them or forge progress reports, misleading operators about an operation’s status. The beacons carry no credentials and the client ignores the response, so this does not enable code execution or data theft.

Routers enrolled against default installations trust only the server’s local CA and are partially mitigated. Installations using public or custom PKI are exposed to machine-in-the-middle attacks on these connections.

The fix shipped in v25.04 (April 2025); this advisory is being published now as part of a consolidated disclosure.

Solution

Users should update to v25.04 or later and upgrade their DAL devices to run dx-v4.38 or later.

Affected Versions

• DX DAL client versions before v4.38, included in Digi On-Prem Manager v24.12.5 and earlier