Welcome to Digi’s Security Center, where we will strive to make this your one stop location for all the security news, information and resources related to our products and services.
Oct 30, 2017
Digi is aware of the BlueBorne vulnerability related to the penetration of Bluetooth connections resulting in potentially unauthorized access to devices and/or data. BlueBorne affects ordinary computers, mobile phones, embedded devices, and other connected devices with Bluetooth connectivity. Please refer to https://www.armis.com/blueborne/ for detailed information about the vulnerability. For embedded products, we strongly recommend customers to review the available public information about the Blueborne vulnerability and apply mitigation approaches, including already available fixes in the community. We also intend to provide fixes/workaround for the related vulnerabilities as soon as possible. In the meantime, please contact us if you have any questions related to how this vulnerability may affect the Digi products/platforms you are using.
Oct 20, 2017
DNSmasq Network service (CVE-2017-14491)
We have evaluated the impact of this vulnerability on our devices, and have concluded that the Transport LR54 is the only Digi device effected. We have made available a patch for this vulnerability in firmware versions 184.108.40.206 and above. Please see the Digi support site for firmware releases for the LR54 product.
Oct 16, 2017
Digi is aware of a vulnerability within the defined Wi-Fi security protocol WPA2. This has been defined as the KRACK Attack. we have released new firmware for impacted products, For a full technical statement on affected products and workarounds, please see our knowledge base article.
Nov 10, 2016
OpenSSL - New Security Release 1.1.0c
We are still reviewing the impact of this on our devices. we believe that this will not have any impact for Digi, as we use the OpenSSL long term support (LTS) version of Openssl v1.0.2 in our products, and not v1.1.0.
Oct 21, 2016
Dirty COW - (CVE-2016-5195)
We are in the process of fully testing our products against this vulnerability. Currently, we have found a few devices that are slightly impacted. However, due to the product type, there is no way to effectively exploit the devices with this vulnerability.
Oct 01, 2017
Mirai Botnet Impact Investigations
At this time, we have reviewed this, and we are not aware of any of our devices that can be compromized by this Botnet. We are continuing to monitor this in case this changes in the future.
Mar 03, 2017
Practical exploits to SHA1 hashing has now been discovered
Although we have been migrating our products use of SHA1 for the last few years, we are re-evaluating our products for any remaining SHA1 hash use. We anticipate that future releases will remove the SHA1 hash use, and move to the stronger SHA3, or SHA2 routines respectively.
May 03, 2017
Evaluation of Security Vulnerability VU#561444
Expanded info on CVE-2014-9222, CVE-2014-9223
Many Digi products contain and use the RomPager by Allegrosoft web server technology. It has come to our attention that this embedded web server, which is used for management of our devices contains what we have defined as a critical vulnerability. We urge any customer who may have one of these products where the administrative webserver is available on non-secure networks to either upgrade the firmware to a patched version or to disable the web server for management of these devices.