A security vulnerability nicknamed "POODLE" CVE-2014-3566, was announced on October 14th, 2014. We have had many inquiries about this vulnerability and the impact on our products. This vulnerability has been overall classified as a medium risk (CVSSv3 score of 4.3) by US-CERT. The purpose of this notice is to inform our end users of the vulnerability, which devices are impacted, what steps our end users can do to mitigate the risk, and to inform you of what Digi will be doing to fix this issue. In our testing of this vulnerability and our products, we found that there was not a single case in where a remote attacker could gain unauthorized access to end devices or services. Digi has rated the exploitability of this vulnerability as VERY LOW.
The security teams at Digi has evaluated the exposure of the vulnerability to Digi products and determined the overall risk to this vulnerability to our products is very low. We have found that many of our products are affected by this vulnerability. In all cases with this vulnerability, we found that no services or products are remotely exploitable. The following products are impacted:
Following best security practices, Digi will be fixing this vulnerability in all of our supported products. Digi recommends that all of its customers update their products to the new firmware versions when released. Please check the release notes for your specific product. For some of our products and services, this will be deployed in our next scheduled release.
The following Digi products and services are not affected by this vulnerability:
Note: If you have any questions on any Digi products and services that are not listed, please contact us at +1 (952) 912-3456, or via the web site at www.digi.com/support. Detailed Information on Affected products
Digi International maintains a security team that will continue to review new results as they are found from this threat, and test our solutions and products for any new and emerging security vulnerabilities. Security is a top priority and something we take very seriously.
In our analysis, we have found that many of our devices are impacted. That is to say, that the majority of our devices, have a web management front end, and that web front end supports the SSLv3 standards.
In reviewing the mitigating strategies on how to fix our devices and services, there were two suggestions on how to fix this. The first suggestion was to disable SSLv3 services on web servers. The other way to resolve this was to fix the SSLv3 libraries themselves, which would require a re-compile for most implementations. Also, for this fix, a new extension called TLS_FALLBACK_SCSV would be added. Upon further review of other SSLv3 protocols, and other attacks such as BEAST, we decided to conduct a survey of the SSLv3 protocol use of our customers with our products and services. In conclusion, we found very little SSLV3 use from our customers. We were also aware that continued support of SSLv3 would probably put us right back into the same condition sooner or later. The decision to remove SSLv3 support from our products and services was chosen as the path that we wanted to support. This has the advantages of removing future issues, as well as mitigating BEAST like attacks as well.
In reviewing our products and services, we have used various commercial scanners, as well as manual methods to conduct these tests and determine our results. For POODLE, we have classified the risk as very low to our devices, and low to our cloud services. We are taking the approach to immediately build new firmware versions to fix this vulnerability, and suggest to our customers that they update as soon as possible. In some cases, the fix can be more considerable work, and we have scheduled this fix to be in our next regular release of firmware. However, we have been able to get this fixed quite quickly for our core products.
Below is our analysis of the threat, the risk of what may be exposed, and how we recommend our customers mitigate the threat.
For every vulnerability, we review each one carefully to determine the impact to our devices and services. We try to make a recommendation to our customers on the anticipated impact of these vulnerabilities. However, since we do not know each specific configuration and data that our customers are using for our products and services, it is always suggested that the customer review their unique situation and understand what the risk could be to their environment.
Below is a list of functions that are not impacted. This is not a complete list, but is meant to call out functions that customers may be concerned with that we have determined that are not affected.
For specific risks to Digi International products, we have classified the risk of POODLE to our products as VERY LOW. Further, for our device cloud, we have rated that as a LOW risk. During our testing, we were not able to find any remote exploits that this vulnerability has created. Although US-CERT has rated this vulnerability as the highest (CVSS of 4.3), we believe the real threat with our devices is much lower.
Risk of POODLE to our products and services are:
Risk needs to be determined by the end customer and how they have chosen to deploy the device within their environment. We make this determination based on the following criteria:
To fix or mitigate devices affected by this vulnerability, we suggest the following steps.
The recommended fix for our devices is to update to a fixed Firmware version. Digi is releasing new firmware versions for all of the affected devices. Check this notice for firmware release versions and dates. You can also visit www.digi.com/support for more information specific to your device. We would also recommend subscribing to the RSS feed on the support site for your product to get immediate notice of any new firmware or document releases specific to your product.
If a firmware update is not available, for most devices, we currently do not have any recommendation to mitigate this vulnerability.
For Transport devices, it is possible for the end user to configure the HTTPS web services to support TLSv1 only. This is done under the Configuration – network > SSL -> SSL Server -> SSL Version.
For Rabbit devices, it is possible for the end user to disable SSLv3. Please see the documentation on our support website for your product: https://hub.digi.com/support/products/
If you are interested in learning more about the disclosure, please feel free to visit the web pages below:
If you have any other questions regarding this vulnerability and how it affects Digi hardware products and the Digi Device Cloud, feel free to contact us at firstname.lastname@example.org