Welcome to Digi’s Security Center, where we will strive to make this your one stop location for all the security news, information and resources related to our products and services.
Aug 25, 2023
The attached document includes vulnerability findings from a report that Dragos submitted. These are CVEs that Dragos reported to us, Digi International. Included is a table of Digi International products that were reported as vulnerable by Dragos.
Jul 20, 2023
Ripple20 Public Disclosure
Digi International has recently become aware that CVE-2020-11901 is still impacting our NDS and NET+OS product lines, which were part of Ripple20 vulnerabilities. Digi has found that it is appropriate to patch the vulnerability. Please see our knowledge-based article for the patch releases related to this vulnerability.
Our development team has already developed a patch for this vulnerability and we strongly recommend that you apply the update as soon as possible to ensure the security of your device.
We take the security of our products very seriously and apologize for any inconvenience this may cause. If you have any questions or concerns, please do not hesitate to contact our support team.
Dec 05, 2022
Following up with Digi's previous announcement of WiFi Frag Attack.
Here is the link to our knowledge-based article that goes into detail on WiFi Frag Attack
Nov 09, 2022
Frag Attack Security Information
Security Update for OpenSSL Critical CVE’s: CVE-2022-3786 and CVE-2022-3602
Digi International is looking into the new Critical OpenSSL vulnerabilities, CVE-2022-3786, and CVE-2022-3602.
Currently, the EX50 and TX64 devices are vulnerable to CVE-2022-3786 and CVE-2022-3602. All other Digi Accelerated Linux (DAL) products are not affected. The EX50 and TX64 firmware will be updated to mitigate these vulnerabilities within the next patch release.
Digi Embedded Yocto version 4.0-r1 is currently vulnerable to CVE-2022-3786 and CVE-2022-3602 and will be updated to mitigate those vulnerabilities within the next patch release. All other versions of DEY are not affected.
Other OpenSSL libraries are also being looked at as well. The libraries found not up to date will also receive patches.
Any further questions…… we will address to further alleviate those concerns
Jul 08, 2022
The Digi Security Vulnerability submission process has changed
You can submit vulnerabilities in the top right-hand corner by filling out Bugcrowd’s form. We encourage the researchers or customers to provide an email to better directly communicate with you. Please re-submit any vulnerability that in the last 90 days was sent to firstname.lastname@example.org and we did not respond to you. We appreciate your continued service to make Digi International Inc. products stay secure.
Apr 19, 2022
CVE-2022-22963 and CVE-2022-22965 Do Not Impact Digi Branded Products
After further due diligence Digi branded products are not vulnerable to either CVE-2022-22963 nor CVE-2022-22965 (Spring4Shell).
Apr 08, 2022
Digi Passport Firmware Update
A security fix for improving how requests are handled in the web interface has been published and is ready for download at the following link: https://hub.digi.com/support/products/infrastructure-management/digi-passport/?path=/support/asset/-digi-passport-1.5.2-firmware/
Mar 31, 2022
Spring4Shell Vulnerability (CVE-2022-22963)
Digi is currently investigating the impact throughout our product lines. Updates will be posted here.
Mar 29, 2022
OpenSSL infinite loop in BN_mod_sqrt() (CVE-2022-0778)
Digi is currently investigating the impact throughout our product lines. Updates will be posted here.
Dec 23, 2021
We have identified that the following four of our products have vulnerable versions related to log4j vulnerabilities CVE-2021-44228, and CVE-2021-45046
Note that these products are not vulnerable to the latest log4j vulnerability cited on CVE-2021-45105, and the latest installers below bring log4j up to 2.16. We have provided the direct links that patch the mentioned CVE's next to each product below.
Smart IOmux: Smart IOmux
Digi XCTU: XCTU
Digi XBee Multi Programmer: XBee Multi Programmer
Digi XBee Network Assistant: Digi XBee Network Assistant
We believe these vulnerabilities did not impose direct exploitation in our products because they are desktop applications run by individual users, and they are not accessible through the Internet or used through web services. The four products above are all of the affected products that we know of at this time. In the event we discover any further issues, we will update this page. For more information related to unaffected products, please review the post below dated December 14, 2021.
Dec 14, 2021
After a detailed investigation, Digi has determined Apache Log4j CVE-2021-44228 does not impact many of our products/product families. The unaffected products are listed below.
If you do not find a product, please note that we are continuing internal testing and will update the list below as soon as the results are known.
Devices not impacted by Apache Log4j CVE-2021:
- CTEK G6200 family
- CTEK SkyCloud
- CTEK Z45 family
- Digi 54xx family
- Digi 63xx family
- Digi AnywhereUSB (G2) family
- Digi AnywhereUSB Plus family
- Digi Connect family
- Digi Connect EZ family
- Digi Connect IT family
- Digi ConnectPort family
- Digi ConnectPort LTS family
- Digi Connect Sensor family
- Digi Connect WS family
- Digi Embedded Android
- Digi Embedded Yocto
- Digi EX routers
- Digi IX routers
- Digi LR54
- Digi One family
- Digi Passport family
- Digi PortServer TS family
- Digi Rabbit Embedded Family
- Digi TX routers
- Digi WR11
- Digi WR21
- Digi WR31
- Digi WR44R/RR
- Digi WR54
- Digi WR64
Dec 13, 2021
- AnywhereUSB Manager
- Digi Navigator
- Digi Remote Manager
- Digi Xbee mobile app
- Dynamic C
- Remote Hub Config Utility
Apache Log4j CVE-2021-44228 vulnerability
Digi is currently investigating the impact throughout our product line. We currently have not discovered any impact at this time. We will continue to work diligently, and update as soon as we come to a conclusion across the organization.
Jun 14, 2021
FragAttacks - WiFi Fregmentation and Aggregation Attacks
At this time, Digi is still reviewing these attacks and how they impact our devices. From the nature of the attacks, we do expect that Digi devices will be impacted.
However, it is critical to note that even with these attacks, it has always been DIgi's policy and suggestions that network communication should never rely on the protections and standards of the data layers (WiFi/BlueTooth). Many of these are implemented in HW and can be difficult to change. If good network practices are used, (TLS/Certificates etc), then these vulnerabilities do not lead to any real impact. These vulnerabilites can only become impactful IF other flaws or issues are present.
It is Digi's intent to address these issues so that we preserve our defense in depth strategy to security in our products. Due to the complexity of these issues, we believe we will be able to address these by Q4 of 2021 or sooner if possible.
Dec 09, 2020
AMNESIA:33 - VU#815128 - Multiple TCP/IP stacks used in Internet of Things (IoT have several vulnerabilities stemming from improper memory management.
Digi International has never manufactured any products that could be impacted by the AMNESIA:33 vulnerabilities. There is no action required by any of our customers.
Jun 16, 2020
RIPPLE20 - Multiple vulnerabilities in TRECK TCP/IP embedded software - VU#257161
A number of high level vulnerabilities (CVE's) that affect the TCP/IP internal stack processing have been identified. Digi has been working with customers since February to install firmware updates to address the issue. Under specific circumstances, it may be possible that these vulnerabilities could lead to a remote code execution via a network based attack without authentication.
CVSSv3.1 Score of 8.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Several Digi products have been identified as impacted, and we strongly recommend that you update your firmware immediately.
These products include:
For more information, read the Digi Knowledge base article.
Jun 02, 2020
- Digi Connect® ME, Digi Connect® EM, Digi Connect® WME, Digi Connect® SP, and Digi Connect® ES; Digi Connect® 9C, Digi Connect® 9P;
- Digi ConnectPort® TS, Digi ConnectPort® X2, Digi ConnectPort® X4;
- Digi AnywhereUSB® (First and Second Gen, NOT Plus);
- NetSilicon 7250, 9210, 9215, 9360, 9750;
- Any products using the NET+OS 7.X development environments.
Reflection attack WR11,WR21,WR31,WR41,WR44 series routers - VU#636397 - CVE-2020-10136
A high level vulnerability (CVSS => 7.0) was discovered on the Digi WR11,WR21,WR31,WR41, and WR44 cellular routers. The attack allows IP-in-IP encapsulation to be used to route arbitrary network traffic through a vulnerable device.
Please download firmware V188.8.131.52 (or greater) for a fix for this issue. Alternatively, enabling the firewall feature on the devices WAN interface (or cellular interface) port will also mitigate this attack.
For more information on this vulnerability, please see the knowledge base article within the Digi support section
Mar 16, 2020
Randomization of Secure Session SRP ephemeral values
A vulnerability was discovered on Digi XBee 3 Zigbee and Digi XBee 3 802.15.4 firmwares where the ephemeral values used for Secure Session SRP authentication are not randomized unless BLE is enabled. This feature is typically used to secure networks against unauthorized remote configuration.
For more information, go to: https://www.digi.com/support/knowledge-base/xbee-3-%E2%80%93-secure-session-srp-randomization
Mar 05, 2020
Zigbee transport keys sent 'in the clear'
A vulnerability was discovered on earlier generation XBee ZigBee modules (S2B, S2C, and S2D) where a router that was previously associated with the network can be allowed back onto the secured network using an invalid preconfigured link key. After which, this node could inadvertently pass the network key "in the clear" to devices attempting to join through it.
For more information, go to: https://www.digi.com/support/knowledge-base/xbee-zigbee-keys-can-be-sent-in-the-clear
Feb 11, 2020
Digi ConnectPort LTS vulnerabilities - 1 unrestricted upload, and 3 stored cross site scripting vulnerabilities - ICS Advisory (ICSA-20-042-13)
Vulnerability researchers Murat Aydemir, and Fatih Kayran discovered the above vulnerabilities within the ConnectPort LTS web interface of the Digi ConnectPort LTS firmware. The suggested fix for these issues include an update of firmware to the latest release for your product. For the full US-CERT guidance, please see: https://www.us-cert.gov/ics/advisories/icsa-20-042-13
For firmware updates, go to: https://www.digi.com/support/supporttype?type=firmware
Jun 25, 2019
"SACK" Vulnerability - (CVE-2019-11477, CVE-2019-11478, CVE-2019-5599 and CVE-2019-11479)
Digi Intl. is aware of four recent vulnerabilities known as the "SACK" vulnerabilites. We are currently reviewing impact and coordinating fixes within our known impacted products at this time. More information will be available next week on the timeline for fixes. It is critical to note that these vulnerabilities do NOT impact the confidentiality and Integrity of any Digi devices. All of these vulnerabilities are classified as "Denial of Service" issues. This means that it may be possible to kick a device off the network or reboot the device.
Feb 19, 2019
Digi LR54/WR64/WR54 CVE-2018-20162 Major Security Vulnerability – Restricted Shell escape
A vulnerability was discovered by Stig Palmquist in the above named routers. This vulnerability allows an individual with existing full-admin, command-line access, the ability to get a root shell on the device. This vulnerability is not remotely exploitable. We suggest customers upgrade to versions equal to or greater than 4.5.1. It is also noted that even with this vulnerability, many critical parts of the router are read-only, and installed code is protected by a secure boot process. More detail will be published in Digi’s Knowledge base on this issue.
Oct 24, 2018
libSSH Critical vulnerability : CVE-2018-10933
Digi is aware of a critical vulnerability in the libssh libraries. We have conducted an impact analysis to identify if any Digi products are affected. We believe at this time that NO Digi products are impacted by this vulnerability, as we do not use this library for features in our products. We will continue to monitor this situation, and will post more information if the status changes.
Jan 05, 2018
Spectre and Meltdown Vulnerabilities - (CVE-2017-5715, CVE-2017-5753, and CVE-2017-5754)
Digi is aware of the Spectre and Meltdown vulnerabilities that were recently released. These vulnerabilities impact the confidentiality of data running on Intel, AMD and ARM processors.
For Digi hardware products, we do not use Intel or AMD processors, and as a consequence the "Meltdown" vulnerability does not affect Digi hardware products.
For the Spectre vulnerability, Digi security teams are working to determine the practical impacts and patches on Digi hardware products that use ARM processors.
For Digi Remote Manager & Device Cloud, we are working with our providers to address Spectre and Meltdown.
Additional information will be provided as soon as it is available. For more information on these vulnerabilities, please see the website https://meltdownattack.com/
Please continue to check this space for updates, or subscribe to the RSS feed above.
Nov 29, 2017
Discovered vulnerabilities with TransPort WR Series cellular routers
Three vulnerabilities have been found by Kasperski Labs within the WR series transport routers. These vulnerabilities are rated from high to low. The impacted devices are the Digi TransPort WR11,WR21,WR41,WR44, and the WR31. This includes "R", and "RR" versions as well. Impacted vulnerable services are SNMP, FTP, and the command line interface. For more information on the discovered vulnerabilities, including patches, mitigations, and overall risk, please see the knowledge base article.
Oct 30, 2017
Digi is aware of the BlueBorne vulnerability related to the penetration of Bluetooth connections resulting in potentially unauthorized access to devices and/or data. BlueBorne affects ordinary computers, mobile phones, embedded devices, and other connected devices with Bluetooth connectivity. Please refer to https://www.armis.com/blueborne/ for detailed information about the vulnerability. For embedded products, we strongly recommend customers to review the available public information about the Blueborne vulnerability and apply mitigation approaches, including already available fixes in the community. We also intend to provide fixes/workaround for the related vulnerabilities as soon as possible. In the meantime, please contact us if you have any questions related to how this vulnerability may affect the Digi products/platforms you are using.
Oct 20, 2017
DNSmasq Network service (CVE-2017-14491)
We have evaluated the impact of this vulnerability on our devices, and have concluded that the Transport LR54 is the only Digi device effected. We have made available a patch for this vulnerability in firmware versions 184.108.40.206 and above. Please see the Digi support site for firmware releases for the LR54 product.
Oct 16, 2017
Digi is aware of a vulnerability within the defined Wi-Fi security protocol WPA2. This has been defined as the KRACK Attack. we have released new firmware for impacted products, For a full technical statement on affected products and workarounds, please see our knowledge base article.
Oct 01, 2017
Mirai Botnet Impact Investigations
At this time, we have reviewed this, and we are not aware of any of our devices that can be compromized by this Botnet. We are continuing to monitor this in case this changes in the future.
Mar 03, 2017
Practical exploits to SHA1 hashing has now been discovered
Although we have been migrating our products use of SHA1 for the last few years, we are re-evaluating our products for any remaining SHA1 hash use. We anticipate that future releases will remove the SHA1 hash use, and move to the stronger SHA3, or SHA2 routines respectively.
Nov 10, 2016
OpenSSL - New Security Release 1.1.0c
We are still reviewing the impact of this on our devices. we believe that this will not have any impact for Digi, as we use the OpenSSL long term support (LTS) version of Openssl v1.0.2 in our products, and not v1.1.0.
Oct 21, 2016
Dirty COW - (CVE-2016-5195)
We are in the process of fully testing our products against this vulnerability. Currently, we have found a few devices that are slightly impacted. However, due to the product type, there is no way to effectively exploit the devices with this vulnerability.
Aug 11, 2022
In regards to California SB-327 and CISA advisory 22-216-01 with respect to the Digi Connect Port X devices manufactured prior to 1-1-2020
Digi International recommends that using the Connect Port X devices manufactured before 1-1-2020 to change the default password for the root user to a custom value on the device.
Jun 24, 2022
Software validation hashes are now part of release notes
Visit the Digi support site and find your product
Sep 30, 2020
Digi International released software validation hashes
This document will provide file cryptographic hashes to validate that the software received is the software that Digi has officially provided. These Human validation methods are required for CIP-010-3 R1 Part 1.6 and for other good security practices prior to rolling out critical software or firmware for the enterprise.
Jul 19, 2019
Followup SACK vulnerability knowledge base article
For a more detailed list of Digi devices impacted by the SACK vulnerability, see the following KB article, https://www.digi.com/support/knowledge-base/sack_vulnerability
May 03, 2017
Evaluation of Security Vulnerability VU#561444
Expanded info on CVE-2014-9222, CVE-2014-9223
Many Digi products contain and use the RomPager by Allegrosoft web server technology. It has come to our attention that this embedded web server, which is used for management of our devices contains what we have defined as a critical vulnerability. We urge any customer who may have one of these products where the administrative webserver is available on non-secure networks to either upgrade the firmware to a patched version or to disable the web server for management of these devices.