Digi recommends that all customers update their firmware to version 5.2.19.11 or higher to protect against the 3 following high severity vulnerabilities. Vulnerabilities exist within the FTP server, and command line. Both of these vulnerabilities are classified as medium as they only apply to authenticated users. For the last vulnerability in SNMP, we have classified this as high. Digi urges any customer who may have one of the affected products to either upgrade the firmware to a patched version, or to disable SNMP and FTP for management of the device. See below for a fuller definition on mitigation if immediate patching is not an option.
History:
These security vulnerabilities were discovered by Danila Parnishchev (Kaspersky Lab), and were confirmed by the Digi International Security team. In reviewing these vulnerabilities, current exploits only impact the Availability* of the product. In our testing, if the vulnerabilities are triggered, we did see that the device appropriately rebooted and was back online within a few seconds. We rated these vulnerabilities from low to high. One specific vulnerability may have the ability to allow remote code execution, which we have rated this vulnerability as a high, due to the potential risk. We do believe that this would be an unlikely event due to the exposure of the service, and the ability to properly build an exploit on a proprietary operating system.
Affected Products:
TransPort Series Routers WR11, WR21, WR31, WR41, WR44
CVE-2074-XXXX (SNMP Denial of Service and Buffer Overflow): - Overall Digi Rating – High
CVSS v2 Vector - (AV:N/AC:H/Au:N/C:C/I:C/A:C) – Overall CVSS 7.6
The vulnerability exists in the SNMP processing code. If specific values within certain variables are sent, it is possible to produce a buffer overrun within the Digi TransPort product. This overrun will initially lead to a device reboot. Currently this attack is only a denial of service (DoS) attack. We do believe that it could be possible that a remote code execution could be designed, but there is no known attack in existence at this time. We also believe that the design of this attack would be significantly more difficult as Digi TransPort products run a proprietary embedded OS. Performing an attack would require a higher level of effort to create functions other than a system crash, or the changing of simple variables compared to publicly available embedded Operating Systems.
CVE-2074-XXXX (FTP Denial of Service): - Overall Digi Rating - Medium to Low
CVSS v2 Vector – (AV:N/AC:L/Au:S/C:N/I:N/A:C) - Overall CVSS 6.8
This vulnerability exists in the FTP processing code. If incorrect FTP protocol information is given, the Digi TransPort
products will improperly process certain commands that will lead to a reboot. This attack is only a denial of service attack. To trigger
this attack, a FTP server must be turned on, and the attacker must have credentials to login to the service, or the anonymous FTP
access must be turned on.
CVE-2074-XXXX (Command-line Denial of Service): - Overall Digi Rating – Low
CVSS v2 Vector – (AV:L/AC:L/Au:S/C:N/I:N/A:C) - Overall CVSS 4.6
The vulnerability exists in the command line processing code. To conduct this attack, a validated FULL administrative access
user needs to get access to the command line admin interface. When in this interface, if specific values are given as options to a
specific command, it is possible to produce a buffer overrun within Digi TransPort products. This overrun will initially lead to a
device reboot. Currently this attack is only considered a denial of service attack. We do believe that it could be possible that a remote
code execution could be designed, but there is no known attack in existence at this time. We also believe that the design of this attack
would be significantly more difficult, as Digi TransPort products run a proprietary embedded OS. Performing an attack would require
a higher level of effort to create functions other than a system crash, or the changing of simple variables compared to publicly
available embedded Operating Systems.
Overall Summary of Vulnerabilities:
In the Digi evaluation of these vulnerabilities, we have deemed these as high vulnerability for which we have created an immediate
patch available via the normal support methods and on the Digi International web site. We recommend that current customers
download and evaluate the latest firmware for Digi devices that you have deployed. As always, it is up to our end-use customers to
evaluate risk and make appropriate decisions, as Digi does not recommend rolling out new firmware versions without full acceptance
testing.
Evaluation of Risk:
Below are the reasons why Digi believes this to be a high vulnerability:
- The vulnerability does NOT need any user credentials.
- The vulnerability, with a bit of review, is easy to trigger and has a high degree of success.
- Currently, only Availability* of the device is impacted.
- Given a determined “bad actor,” it is possible that confidentiality and integrity of the device, and devices that are directly connected to it, can be lost.
- No known public external exploit is available
- Digi believes that most customers do not make the impacted services available to the public Internet. Impacted services should be used on a private network side. This will have the effect of reducing the number of bad actors that could try to exploit these vulnerabilities. With cellular devices, the use of a public APN can also be considered the same as exposing services to the public Internet.
Mitigation:
If it is not possible to patch, Digi suggests the mitigation steps below:
FTP Server
- It is advised to disable the FTP server on the Digi TransPort device. Other forms of management are considered safe (SSH or Digi Remote Manager).
- If the FTP service is being used, internally for management, then we suggest implementing the firewall feature on the Digi TransPort router to ONLY allow FTP traffic from specific clients that you need to manage the device.
- If you are using the device as a general purpose FTP server, Digi suggests that you look for alternatives for this service. The intent of the built-in FTP server is not to function as a generic service, but as more of a method of management. In today’s common security model, FTP services are considered to be inherently insecure.
SNMP Server
- If possible, it is advised to disable the SNMP service on the Digi TransPort product if it is not being used. For Digi’s recommended settings, we suggest disabling all services that are not needed, as standard secure deployment guidelines. These standard guidelines are located at https://www.digi.com/security.
- If it is not possible to disable SNMP services, as this is used to manage devices within the field, we suggest that the firewall feature be used to create firewall rules that only allow traffic from the SNMP management servers. This will significantly reduce any “bad actors” from talking to this service.
Other Mitigating Factors:
Many devices may only exist within a secure separate network. If this is the case, Digi advises you to conduct your own risk assessment, as having the device isolated may help reduce the risk of this vulnerability. However, if this device is connected directly to the Internet, we highly suggest disabling the FTP and SNMP services immediately, at least on any public facing interfaces.
References:
CIA Triad of Security - http://www.techrepublic.com/blog/it-security/the-cia-triad
United States US-Computer Emergency Readiness Team - https://www.us-cert.gov
Summary:
With security being a critical part of many products in the Internet of Things, Digi is committed to making sure that our products are safe and usable within critical infrastructures and other business uses. With vulnerabilities and risks part of our daily routine, Digi takes a risk-based approach to fixing vulnerabilities where they are needed most, and at the most critical times. Although we try to understand every customer and the use of our products, we understand that each customer needs to go through their own risk analysis, as well, with our products. If you believe that the analysis above is missing information, or there is a significant difference in your evaluation of risk, please contact Digi International Technical Support by email at tech.support@digi.com.
Last updated:
Nov 30, 2017