Software Engineering Institute

Updated:  May 09, 2017

Statement Date:   May 08, 2017

Status

Affected

Vendor Statement

Digi has posted the following advisory here:

Overview:
Many Digi products contain and use the RomPager by Allegrosoft web server technology. It has come to our attention that this embedded web server, which is used for management of our devices contains what we have defined as a critical vulnerability. We urge any customer who may have one of these products where the administrative webserver is available on non-secure networks to either upgrade the firmware to a patched version or to disable the web server for management of these devices.

Affected Products:
ConnectPort TS, Connect ES, Connect SP, Connect N2S, AnywhereUSB, ConnectPort X4, ConnectPort X2, Connect ME, Connect EM, Connect WAN 3G, Connect WAN 3G IA, Net+OS

History:
The initial vulnerability was identified a few years ago (Sept 2014), and was evaluated by Digi in consultation with AllegroSoft based the then current understanding of the potential vulnerability, it was concluded that only specific RomPager versions (4.07 to 4.37) were vulnerable to these attacks and that Digi’s implementation in particular did not rely on those versions or features that were potentially impacted.
The current version of RomPager that Digi uses is version 4.01. In re-evaluation of this vulnerability, which includes a working exploit, we can conclude that the earlier information that was provided to us was in error. This vulnerability does indeed exist within the product, and both CVE’s are present in RomPager version 4.01. The CVE-2014-9222 vulnerability can be used to remotely reset admin passwords to gain full access to the devices. For the CVE-2014-9223 vulnerability, this currently can only lead to a denial of service, and a reboot of the device.

CVE-2014-9222 and CVE-2014-9223:
These vulnerabilities are known as the misfortune cookie (CVE-2014-9222/9223) vulnerabilities. The vulnerability exists in the cookie processing and authentication digest code, which is included in version 4.01 of our RomPager embedded web server. In our re-evaluation of this, we have deemed this a critical vulnerability for which we have created an immediate patch for affected products that is available online at www.digi.com/support. . We recommend that current customers download and evaluate the latest firmware for your Digi devices that you have deployed. As always, evaluation of risk is up to our end customers based on their deployment environment and change management criteria.

Evaluation of risk:
Below are the reasons why we believe this to be a critical vulnerability:
The vulnerability does NOT need any user credentials.
The vulnerability, with a bit of review, is easy to trigger, and has a high degree of success.
All confidentiality and integrity of the device, and devices that are directly connected to are lost.
External exploits are known to exist in the wild, although these exploits only reboot a device at this time.

Mitigation:
To mitigate the issue, it is advised to disable the web server on the device. Other device management methods are not impacted (i.e. SSH, and/or Digi Remote Manager).
Other mitigating factors:
Many of the devices may are deployed within a limited access private network. If this is the case, then the customer should conduct their own risk assessment, as having the device isolated may help reduce the risk of this vulnerability. However, if this device is connected directly to the Internet, we highly suggest disabling the web server immediately, at least on any public interfaces.

Research References:
http://mis.fortunecook.ie/
https://www.allegrosoft.com/allegro-software-urges-manufacturers-to-maintain-firmware-for-highest-level-of-embedded-device-security/news-press.html

Summary:
With security being a critical part many products in the Internet of Things, we are committed to making sure that our products are safe, and usable within critical infrastructure and other business uses. With vulnerabilities and risks around every corner, we try to take a risk based approach to fixing vulnerabilities where they are needed most, and at the most critical times. Although we try to understand every customer and use of our products, we understand that each customer has to go through their own risk analysis as well with our products. If you believe that the analysis above is missing information, or there is a significant difference in your evaluation of risk, please do not hesitate to contact our Security Office by emailing security@digi.com.

Firmware Downloads For Affected Products:
Firmware for the affected products can be found at the below link, after selecting the desired product from the list:

https://www.digi.com/support/supporttype?type=firmware

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• http://knowledge.digi.com/articles/Knowledge_Base_Article/RomPager-Evaluation-of-Security-Vulnerability-VU-561444-Expanded-info-on-CVE-2014-9222-CVE-2014-9223/ ftp://ftp1.digi.com/support/firmware/pcn.xbp8681x61.20110222.pdf
• https://www.digi.com/resources/security