Allegro Software Development Corporation Not Affected

Notified:  December 19, 2014 Updated: December 19, 2014

Status

Not Affected

Vendor Statement

"An example is the case of the CVE-2014-9222 and CVE-2014-9223 vulnerabilities (also known as Misfortune Cookie). These vulnerabilities were discovered in the RomPager embedded web server version 4.07, which was released in 2002. Allegro had previously identified, fixed, and released updated software components that addressed these vulnerabilities. RomPager version 4.34, which resolved these vulnerabilities, was provided to Allegro Software customers in 2005. Allegro has continued to provide updates and enhancements to the RomPager software, and the latest available version is 5.40."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Digi International Affected

Updated:  May 09, 2017

Statement Date:   May 08, 2017

Status

Affected

Vendor Statement

Digi has posted the following advisory here: Overview: Many Digi products contain and use the RomPager by Allegrosoft web server technology. It has come to our attention that this embedded web server, which is used for management of our devices contains what we have defined as a critical vulnerability. We urge any customer who may have one of these products where the administrative webserver is available on non-secure networks to either upgrade the firmware to a patched version or to disable the web server for management of these devices. Affected Products: ConnectPort TS, Connect ES, Connect SP, Connect N2S, AnywhereUSB, ConnectPort X4, ConnectPort X2, Connect ME, Connect EM, Connect WAN 3G, Connect WAN 3G IA, Net+OS History: The initial vulnerability was identified a few years ago (Sept 2014), and was evaluated by Digi in consultation with AllegroSoft based the then current understanding of the potential vulnerability, it was concluded that only specific RomPager versions (4.07 to 4.37) were vulnerable to these attacks and that Digi’s implementation in particular did not rely on those versions or features that were potentially impacted. The current version of RomPager that Digi uses is version 4.01. In re-evaluation of this vulnerability, which includes a working exploit, we can conclude that the earlier information that was provided to us was in error. This vulnerability does indeed exist within the product, and both CVE’s are present in RomPager version 4.01. The CVE-2014-9222 vulnerability can be used to remotely reset admin passwords to gain full access to the devices. For the CVE-2014-9223 vulnerability, this currently can only lead to a denial of service, and a reboot of the device. CVE-2014-9222 and CVE-2014-9223: These vulnerabilities are known as the misfortune cookie (CVE-2014-9222/9223) vulnerabilities. The vulnerability exists in the cookie processing and authentication digest code, which is included in version 4.01 of our RomPager embedded web server. In our re-evaluation of this, we have deemed this a critical vulnerability for which we have created an immediate patch for affected products that is available online at www.digi.com/support. . We recommend that current customers download and evaluate the latest firmware for your Digi devices that you have deployed. As always, evaluation of risk is up to our end customers based on their deployment environment and change management criteria. Evaluation of risk: Below are the reasons why we believe this to be a critical vulnerability: The vulnerability does NOT need any user credentials. The vulnerability, with a bit of review, is easy to trigger, and has a high degree of success. All confidentiality and integrity of the device, and devices that are directly connected to are lost. External exploits are known to exist in the wild, although these exploits only reboot a device at this time. Mitigation: To mitigate the issue, it is advised to disable the web server on the device. Other device management methods are not impacted (i.e. SSH, and/or Digi Remote Manager). Other mitigating factors: Many of the devices may are deployed within a limited access private network. If this is the case, then the customer should conduct their own risk assessment, as having the device isolated may help reduce the risk of this vulnerability. However, if this device is connected directly to the Internet, we highly suggest disabling the web server immediately, at least on any public interfaces. Research References: http://mis.fortunecook.ie/ https://www.allegrosoft.com/allegro-software-urges-manufacturers-to-maintain-firmware-for-highest-level-of-embedded-device-security/news-press.html Summary: With security being a critical part many products in the Internet of Things, we are committed to making sure that our products are safe, and usable within critical infrastructure and other business uses. With vulnerabilities and risks around every corner, we try to take a risk based approach to fixing vulnerabilities where they are needed most, and at the most critical times. Although we try to understand every customer and use of our products, we understand that each customer has to go through their own risk analysis as well with our products. If you believe that the analysis above is missing information, or there is a significant difference in your evaluation of risk, please do not hesitate to contact our Security Office by emailing security@digi.com. Firmware Downloads For Affected Products: Firmware for the affected products can be found at the below link, after selecting the desired product from the list: https://www.digi.com/support/supporttype?type=firmware

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

D-Link Systems, Inc. Unknown

Updated:  December 19, 2014

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Huawei Technologies Unknown

Updated:  December 19, 2014

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Linksys Unknown

Updated:  December 19, 2014

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetComm Wireless Limited Unknown

Updated:  December 19, 2014

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Peplink Not Affected

Updated:  January 08, 2015

Statement Date:   January 08, 2015

Status

Not Affected

Vendor Statement

Peplink has verified and confirmed that all of our products do not contain/use the "RomPager" web server component and therefore we are NOT affected by this vulnerability. There is no customer action required. Thank you for your attention. The Peplink Team Issued on: Dec 23, 2014

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

TP-LINK Unknown

Notified:  December 19, 2014 Updated: December 19, 2014

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    ZTE Corporation Unknown

    Updated:  December 19, 2014

    Status

    Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.

    ZyXEL Unknown

    Updated:  December 19, 2014

    Status

    Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    We are not aware of further vendor information regarding this vulnerability.