Welcome to Digi’s Security Center, where we will strive to make this your one stop location for all the security news, information and resources related to our products and services.
Jun 16, 2020
RIPPLE20 - Multiple vulnerabilities in TRECK TCP/IP embedded software - VU#257161
A number of high level vulnerabilities (CVE's) that affect the TCP/IP internal stack processing have been identified. Digi has been working with customers since February to install firmware updates to address the issue. Under specific circumstances, it may be possible that these vulnerabilities could lead to a remote code execution via a network based attack without authentication.
CVSSv3.1 Score of 8.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Several Digi products have been identified as impacted, and we strongly recommend that you update your firmware immediately.
These products include:
For more information, read the Digi Knowledge base article.
Jun 02, 2020
Reflection attack WR11,WR21,WR31,WR41,WR44 series routers - VU#636397 - CVE-2020-10136
- Digi Connect® ME, Digi Connect® EM, Digi Connect® WME, Digi Connect® SP, and Digi Connect® ES; Digi Connect® 9C, Digi Connect® 9P;
- Digi ConnectPort® TS, Digi ConnectPort® X2, Digi ConnectPort® X4;
- Digi AnywhereUSB® (First and Second Gen, NOT Plus);
- NetSilicon 7250, 9210, 9215, 9360, 9750;
- Any products using the NET+OS 7.X development environments.
A high level vulnerability (CVSS => 7.0) was discovered on the Digi WR11,WR21,WR31,WR41, and WR44 cellular routers. The attack allows IP-in-IP encapsulation to be used to route arbitrary network traffic through a vulnerable device.
Please download firmware V188.8.131.52 (or greater) for a fix for this issue. Alternatively, enabling the firewall feature on the devices WAN interface (or cellular interface) port will also mitigate this attack.
For more information on this vulnerability, please see the knowledge base article within the Digi support section
Mar 16, 2020
Randomization of Secure Session SRP ephemeral values
A vulnerability was discovered on Digi XBee 3 Zigbee and Digi XBee 3 802.15.4 firmwares where the ephemeral values used for Secure Session SRP authentication are not randomized unless BLE is enabled. This feature is typically used to secure networks against unauthorized remote configuration.
For more information, go to: https://www.digi.com/support/knowledge-base/xbee-3-%E2%80%93-secure-session-srp-randomization
Mar 05, 2020
Zigbee transport keys sent 'in the clear'
A vulnerability was discovered on earlier generation XBee ZigBee modules (S2B, S2C, and S2D) where a router that was previously associated with the network can be allowed back onto the secured network using an invalid preconfigured link key. After which, this node could inadvertently pass the network key "in the clear" to devices attempting to join through it.
For more information, go to: https://www.digi.com/support/knowledge-base/xbee-zigbee-keys-can-be-sent-in-the-clear
Feb 11, 2020
Digi ConnectPort LTS vulnerabilities - 1 unrestricted upload, and 3 stored cross site scripting vulnerabilities - ICS Advisory (ICSA-20-042-13)
Vulnerability researchers Murat Aydemir, and Fatih Kayran discovered the above vulnerabilities within the ConnectPort LTS web interface of the Digi ConnectPort LTS firmware. The suggested fix for these issues include an update of firmware to the latest release for your product. For the full US-CERT guidance, please see: https://www.us-cert.gov/ics/advisories/icsa-20-042-13
For firmware updates, go to: https://www.digi.com/support/supporttype?type=firmware
Jun 25, 2019
"SACK" Vulnerability - (CVE-2019-11477, CVE-2019-11478, CVE-2019-5599 and CVE-2019-11479)
Digi Intl. is aware of four recent vulnerabilities known as the "SACK" vulnerabilites. We are currently reviewing impact and coordinating fixes within our known impacted products at this time. More information will be available next week on the timeline for fixes. It is critical to note that these vulnerabilities do NOT impact the confidentiality and Integrity of any Digi devices. All of these vulnerabilities are classified as "Denial of Service" issues. This means that it may be possible to kick a device off the network or reboot the device.
Feb 19, 2019
Digi LR54/WR64/WR54 CVE-2018-20162 Major Security Vulnerability – Restricted Shell escape
A vulnerability was discovered by Stig Palmquist in the above named routers. This vulnerability allows an individual with existing full-admin, command-line access, the ability to get a root shell on the device. This vulnerability is not remotely exploitable. We suggest customers upgrade to versions equal to or greater than 4.5.1. It is also noted that even with this vulnerability, many critical parts of the router are read-only, and installed code is protected by a secure boot process. More detail will be published in Digi’s Knowledge base on this issue.
Oct 24, 2018
libSSH Critical vulnerability : CVE-2018-10933
Digi is aware of a critical vulnerability in the libssh libraries. We have conducted an impact analysis to identify if any Digi products are affected. We believe at this time that NO Digi products are impacted by this vulnerability, as we do not use this library for features in our products. We will continue to monitor this situation, and will post more information if the status changes.
Jan 05, 2018
Spectre and Meltdown Vulnerabilities - (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754)
Digi is aware of the Spectre and Meltdown vulnerabilities that were recently released. These vulnerabilities impact the confidentiality of data running on Intel, AMD and ARM processors.
For Digi hardware products, we do not use Intel or AMD processors, and as a consequence the "Meltdown" vulnerability does not affect Digi hardware products.
For the Spectre vulnerability, Digi security teams are working to determine the practical impacts and patches on Digi hardware products that use ARM processors.
For Digi Remote Manager & Device Cloud, we are working with our providers to address Spectre and Meltdown.
Additional information will be provided as soon as it is available. For more information on these vulnerabilities, please see the website https://meltdownattack.com/
Please continue to check this space for updates, or subscribe to the RSS feed above.
Nov 29, 2017
Discovered vulnerabilities with TransPort WR Series cellular routers
Three vulnerabilities have been found by Kasperski Labs within the WR series transport routers. These vulnerabilities are rated from high to low. The impacted devices are the Digi TransPort WR11,WR21,WR41,WR44, and the WR31. This includes "R", and "RR" versions as well. Impacted vulnerable services are SNMP, FTP, and the command line interface. For more information on the discovered vulnerabilities, including patches, mitigations, and overall risk, please see the knowledge base article.
Oct 30, 2017
Digi is aware of the BlueBorne vulnerability related to the penetration of Bluetooth connections resulting in potentially unauthorized access to devices and/or data. BlueBorne affects ordinary computers, mobile phones, embedded devices, and other connected devices with Bluetooth connectivity. Please refer to https://www.armis.com/blueborne/ for detailed information about the vulnerability. For embedded products, we strongly recommend customers to review the available public information about the Blueborne vulnerability and apply mitigation approaches, including already available fixes in the community. We also intend to provide fixes/workaround for the related vulnerabilities as soon as possible. In the meantime, please contact us if you have any questions related to how this vulnerability may affect the Digi products/platforms you are using.
Oct 20, 2017
DNSmasq Network service (CVE-2017-14491)
We have evaluated the impact of this vulnerability on our devices, and have concluded that the Transport LR54 is the only Digi device effected. We have made available a patch for this vulnerability in firmware versions 184.108.40.206 and above. Please see the Digi support site for firmware releases for the LR54 product.
Oct 16, 2017
Digi is aware of a vulnerability within the defined Wi-Fi security protocol WPA2. This has been defined as the KRACK Attack. we have released new firmware for impacted products, For a full technical statement on affected products and workarounds, please see our knowledge base article.
Oct 01, 2017
Mirai Botnet Impact Investigations
At this time, we have reviewed this, and we are not aware of any of our devices that can be compromized by this Botnet. We are continuing to monitor this in case this changes in the future.
Mar 03, 2017
Practical exploits to SHA1 hashing has now been discovered
Although we have been migrating our products use of SHA1 for the last few years, we are re-evaluating our products for any remaining SHA1 hash use. We anticipate that future releases will remove the SHA1 hash use, and move to the stronger SHA3, or SHA2 routines respectively.
Nov 10, 2016
OpenSSL - New Security Release 1.1.0c
We are still reviewing the impact of this on our devices. we believe that this will not have any impact for Digi, as we use the OpenSSL long term support (LTS) version of Openssl v1.0.2 in our products, and not v1.1.0.
Oct 21, 2016
Dirty COW - (CVE-2016-5195)
We are in the process of fully testing our products against this vulnerability. Currently, we have found a few devices that are slightly impacted. However, due to the product type, there is no way to effectively exploit the devices with this vulnerability.
Jul 19, 2019
Followup SACK vulnerability knowledge base article
For a more detailed list of Digi devices impacted by the SACK vulnerability, see the following KB article, https://www.digi.com/support/knowledge-base/sack_vulnerability
May 03, 2017
Evaluation of Security Vulnerability VU#561444
Expanded info on CVE-2014-9222, CVE-2014-9223
Many Digi products contain and use the RomPager by Allegrosoft web server technology. It has come to our attention that this embedded web server, which is used for management of our devices contains what we have defined as a critical vulnerability. We urge any customer who may have one of these products where the administrative webserver is available on non-secure networks to either upgrade the firmware to a patched version or to disable the web server for management of these devices.
With global scalability, certifications, and compliance, Digi has developed Digi TrustFence™, a security framework along with a series of best practices making our approach to security stand apart in the marketplace, including:
A dedicated security office ensuring that security best practices are incorporated into the engineering design process. Our approach incorporates accepted guidelines and processes that take into consideration product design and testing such as those defined by the American Society for Quality/ Failure Mode Effects Analysis; iSixSigma/DFMEA; ISO9001 SDLC, Penetration Testing Execution Standard and OWASP; as well as emerging standards such as the Online Trust Alliance (OTA). Additionally, we are active participants in established standards bodies including the ZigBee® Alliance, Thread Group, and the SunSpec Alliance, and are members of established organizations such as the Center for Internet Security.
Our standalone security lab tests our products in a variety of ways, including vulnerability analysis and penetration testing. Our skilled testing staff has received certification from leading security bodies including (ISC)2, EC-Council – Licensed Pen Tester (LPT/ECSA/CEH), and in Six Sigma capabilities. In addition, we go beyond general information technology certifications to offer industry expertise in certifications that apply to specific markets, such as energy, government, medical, industrial, retail, transportation and more.
Our dedicated security team regularly collaborates with product and engineering teams on key security issues. In the design process we take a systematic security approach – encompassing design, software, physical attributes and more – making security part of the product lifecycle. We also involve our customers and partners in the process to ensure a real-life approach that tests security within actual deployment environments.
By providing ongoing threat measurement and monitoring services as well as performing internal and external security audits on a regular basis, we ensure our cloud platform offers up-to-date security patches, and provide ongoing proactive communication regarding upcoming threats. Our cloud platforms conform to the latest security frameworks and have acquired a PCI Report on Compliance as a managed service provider.