Home > Support > Knowledge Base > Knowledge Base Article

Digi International Security Notice OpenSSL "Heartbleed"

Digi International Security Notice

April 14th,2014
(Updated 4/18/2014)

CVE-2014-0160/ OpenSSL “Heartbleed”

Overview

On April 7th, a critical security vulnerability (CVE-2014-0160), nicknamed “Heartbleed,” was discovered in the OpenSSL cryptographic software library. The purpose of this notice is to inform you of the vulnerability and the steps necessary to remediate this issue. If exploited, this vulnerability could allow attackers to monitor all information passed between a user and a web service or decrypt past traffic they’ve collected. More details can be found here: http://heartbleed.com.

Affected Products

The security team at Digi has evaluated the exposure of the vulnerability and determined that a small number of our products are affected by this vulnerability:

In order to mitigate this vulnerability, Digi recommends immediately updating products to the upcoming firmware versions (available Monday,April 21, 2014). For remote devices, Digi recommends Device Cloud by Etherios to update firmware and manage devices without costly truck rolls. If you are currently not a Device Cloud customer, you can sign up for 30 days of free access at https://login.etherios.com.

Not Affected Products

The following Digi products and services are not affected by this vulnerability:

Note: If you have any questions on any Digi products and services that are not listed, please contact us at +1 (952) 912-3456, or via the web site at www.digi.com/support.

Detailed Information on Affected products

Background

The vulnerability, known officially as CVE-2014-0160, and nicknamed “Heartbleed”, has impacted many different applications and service providers on the Internet. It can also impact any system that uses the security layer known as Secure Sockets Layer, or “SSL” for short. Digi and Etherios maintains a security team that reviews all of our operations and products for any security vulnerability. Security is a top priority and something we take very seriously.

Analysis

We have used various commercial scanners, as well as manual methods to conduct these tests and determine our results. Below is our analysis of the threat, the risk of what may be exposed, and how we recommend our customers mitigate the threat.

Functions impacted:

Functions NOT impacted:

Risk

The areas of risk of the Heartbleed vulnerability are:

We believe that the current risk associated with Heartbleed and the device would be classified as LOW RISK for many of our customers. However, risk needs to be determined by the end customer and how they have chosen to deploy the device within their environment. We make this determination based on the following criteria:

Suggested Steps to Protect Your Devices

To fix or mitigate devices affected by this vulnerability, we suggest the following steps.

Fixing Devices

All of the following functions listed below are available via Device Cloud by Etherios.  Device Cloud is a management platform providing the capability to perform device management functions to your installed base of devices regardless of their location.  How-to guides will be available at www.digi.com/heartbleed.

Update Firmware. The recommended fix for Heartbleed for our devices is to update to a fixed Firmware version. Digi is releasing new firmware versions for all of the affected devices. Check this notice for firmware release versions and dates. You can also visit www.digi.com/support for more information specific to your device. We would also recommend subscribing to the RSS feed on the support site for your product to get immediate notice of any new firmware or document releases specific to your product.

Change Certificates. If the device has the https service enabled, and you have deployed your own private key and certificates to the web interface, we recommend that you change the certificate. (Make sure that you have updated to an unaffected Firmware Version first)

Change Passwords. Change all password associated with the device. This includes device user passwords. If using TACACS or RADIUS, make sure that you change the user passwords as well as the shared secret. If your device has any VPN tunnels configured, please change these passwords and/or tokens as well.

Mitigation Steps

If a firmware update is not available, we recommend the following steps to mitigate against the vulnerability. Disclaimer: Because of the many different customer configurations, this list cannot be guaranteed to mitigate fully against this threat. It is up to the customer to validate that all of these steps will mitigate against the Heartbleed vulnerability.

All of the following functions listed below are available via Device Cloud by Etherios.  Device Cloud is a management platform providing the capability to perform device management functions to your installed base of devices regardless of their location.  How-to guides will be available at www.digi.com/heartbleed.

Disable the Web Service. Disabling the HTTPS service and still maintaining manageability on the device can be accomplished in a number of ways. You can either manage the device through a command line service like SSH, or use a Device Cloud account to centrally manage all of your devices. Further, if your https service is enabled, and on a public IP on the Internet. You need to restrict or disable the https web interface to specific IPs.

Change Passwords. Change all password associated with the device. This includes device user passwords. If using TACACS or RADIUS, make sure that you change the user passwords as well as the shared secret. If your device has any VPN tunnels configured, please change these passwords and/or tokens as well.

Check Services. If you have implemented any https services within Python, please evaluate your code and make sure that it is not impacted. If you have shell scripting that uses the OpenSSL commands, please make sure that you have mitigated the Heartbeat TLS extension.

Resources for Heartbleed

If you are interested in learning more about the disclosure, please feel free to visit the web pages below:

If you have any other questions regarding this vulnerability and the Device Cloud by Etherios product, feel free to contact us at cloud.security@etherios.com.

Contact a Digi expert and get started today! CONTACT US