Digi recommends that all customers update their firmware to version 126.96.36.199 or higher to protect against the 3 following high severity vulnerabilities. Vulnerabilities exist within the FTP server, and command line. Both of these vulnerabilities are classified as medium as they only apply to authenticated users. For the last vulnerability in SNMP, we have classified this as high. Digi urges any customer who may have one of the affected products to either upgrade the firmware to a patched version, or to disable SNMP and FTP for management of the device. See below for a fuller definition on mitigation if immediate patching is not an option.History:These security vulnerabilities were discovered by Danila Parnishchev (Kaspersky Lab), and were confirmed by the Digi International Security team. In reviewing these vulnerabilities, current exploits only impact the Availability* of the product. In our testing, if the vulnerabilities are triggered, we did see that the device appropriately rebooted and was back online within a few seconds. We rated these vulnerabilities from low to high. One specific vulnerability may have the ability to allow remote code execution, which we have rated this vulnerability as a high, due to the potential risk. We do believe that this would be an unlikely event due to the exposure of the service, and the ability to properly build an exploit on a proprietary operating system.
Affected Products:TransPort Series Routers WR11, WR21, WR31, WR41, WR44
CVE-2074-XXXX (SNMP Denial of Service and Buffer Overflow): - Overall Digi Rating – High CVSS v2 Vector - (AV:N/AC:H/Au:N/C:C/I:C/A:C) – Overall CVSS 7.6
The vulnerability exists in the SNMP processing code. If specific values within certain variables are sent, it is possible to produce a buffer overrun within the Digi TransPort product. This overrun will initially lead to a device reboot. Currently this attack is only a denial of service (DoS) attack. We do believe that it could be possible that a remote code execution could be designed, but there is no known attack in existence at this time. We also believe that the design of this attack would be significantly more difficult as Digi TransPort products run a proprietary embedded OS. Performing an attack would require a higher level of effort to create functions other than a system crash, or the changing of simple variables compared to publicly available embedded Operating Systems.
CVE-2074-XXXX (FTP Denial of Service): - Overall Digi Rating - Medium to LowCVSS v2 Vector – (AV:N/AC:L/Au:S/C:N/I:N/A:C) - Overall CVSS 6.8This vulnerability exists in the FTP processing code. If incorrect FTP protocol information is given, the Digi TransPortproducts will improperly process certain commands that will lead to a reboot. This attack is only a denial of service attack. To triggerthis attack, a FTP server must be turned on, and the attacker must have credentials to login to the service, or the anonymous FTPaccess must be turned on.
CVE-2074-XXXX (Command-line Denial of Service): - Overall Digi Rating – LowCVSS v2 Vector – (AV:L/AC:L/Au:S/C:N/I:N/A:C) - Overall CVSS 4.6The vulnerability exists in the command line processing code. To conduct this attack, a validated FULL administrative accessuser needs to get access to the command line admin interface. When in this interface, if specific values are given as options to aspecific command, it is possible to produce a buffer overrun within Digi TransPort products. This overrun will initially lead to adevice reboot. Currently this attack is only considered a denial of service attack. We do believe that it could be possible that a remotecode execution could be designed, but there is no known attack in existence at this time. We also believe that the design of this attackwould be significantly more difficult, as Digi TransPort products run a proprietary embedded OS. Performing an attack would requirea higher level of effort to create functions other than a system crash, or the changing of simple variables compared to publiclyavailable embedded Operating Systems.Overall Summary of Vulnerabilities:In the Digi evaluation of these vulnerabilities, we have deemed these as high vulnerability for which we have created an immediatepatch available via the normal support methods and on the Digi International web site. We recommend that current customersdownload and evaluate the latest firmware for Digi devices that you have deployed. As always, it is up to our end-use customers toevaluate risk and make appropriate decisions, as Digi does not recommend rolling out new firmware versions without full acceptancetesting.Evaluation of Risk:Below are the reasons why Digi believes this to be a high vulnerability:
Mitigation:If it is not possible to patch, Digi suggests the mitigation steps below:FTP Server
Other Mitigating Factors:Many devices may only exist within a secure separate network. If this is the case, Digi advises you to conduct your own risk assessment, as having the device isolated may help reduce the risk of this vulnerability. However, if this device is connected directly to the Internet, we highly suggest disabling the FTP and SNMP services immediately, at least on any public facing interfaces.References:CIA Triad of Security - http://www.techrepublic.com/blog/it-security/the-cia-triadUnited States US-Computer Emergency Readiness Team - https://www.us-cert.gov
Summary:With security being a critical part of many products in the Internet of Things, Digi is committed to making sure that our products are safe and usable within critical infrastructures and other business uses. With vulnerabilities and risks part of our daily routine, Digi takes a risk-based approach to fixing vulnerabilities where they are needed most, and at the most critical times. Although we try to understand every customer and the use of our products, we understand that each customer needs to go through their own risk analysis, as well, with our products. If you believe that the analysis above is missing information, or there is a significant difference in your evaluation of risk, please contact Digi International Technical Support by email at firstname.lastname@example.org.