Digi International Security Notice

April 14th,2014
(Updated 4/18/2014)

CVE-2014-0160/ OpenSSL “Heartbleed”

Overview

On April 7th, a critical security vulnerability (CVE-2014-0160), nicknamed “Heartbleed,” was discovered in the OpenSSL cryptographic software library. The purpose of this notice is to inform you of the vulnerability and the steps necessary to remediate this issue. If exploited, this vulnerability could allow attackers to monitor all information passed between a user and a web service or decrypt past traffic they’ve collected. More details can be found here: http://heartbleed.com.

Affected Products

The security team at Digi has evaluated the exposure of the vulnerability and determined that a small number of our products are affected by this vulnerability:

• ConnectPort LTS
• ConnectPort X2e
• Digi Embedded Linux
• Wireless Vehicle Bus Adapter (WVA)

In order to mitigate this vulnerability, Digi recommends immediately updating products to the upcoming firmware versions (available Monday,April 21, 2014). For remote devices, Digi recommends the Digi Device Cloud to update firmware and manage devices without costly truck rolls. If you are currently not a Device Cloud customer, you can sign up for 30 days of free access at https://devicecloud.digi.com.

Not Affected Products

The following Digi products and services are not affected by this vulnerability:

• Digi Cloud Connector
• Connect WAN, WAN 3G
• ConnectPort X2, X4, X4H, X5
• ConnectPort WAN
• Digi Device Cloud
• Digi CM
• Digi International hosted web sites
• Digi Passport
• NET+OS
• PortServer TS
• Rabbit
• AnywhereUSB all models (Updated 4/18/2014)
• The Social Machine
• TransPort WR11, WR21, WR41, WR44
• www.digi.com Website

Note: If you have any questions on any Digi products and services that are not listed, please contact us at +1 (952) 912-3456, or via the web site at www.digi.com/support.

Detailed Information on Affected products
 

Background

The vulnerability, known officially as CVE-2014-0160, and nicknamed “Heartbleed”, has impacted many different applications and service providers on the Internet. It can also impact any system that uses the security layer known as Secure Sockets Layer, or “SSL” for short. Digi maintains a security team that reviews all of our operations and products for any security vulnerability. Security is a top priority and something we take very seriously.

Analysis

We have used various commercial scanners, as well as manual methods to conduct these tests and determine our results. Below is our analysis of the threat, the risk of what may be exposed, and how we recommend our customers mitigate the threat.

Functions impacted:

• Device-internal web server for device management functions. (HTTPS Only)
• Python libraries
• Command line OpenSSL functions

Functions NOT impacted:

• The device client connection to the Digi Device Cloud
• RealPort Services (EDP Stream)
• HTTP internal web server device management functions.
• SSH Communications

Risk

The areas of risk of the Heartbleed vulnerability are:

• Ability to steal the private SSL key for the devices internal web server. A fake device could be setup impersonating the real device.
• Ability to capture any SSL traffic between users using the web front end. This would expose any data sent to the device.
• Ability to capture the user ID and password used to login to the device.
• Any customer custom services running on the device using Python or Bash scripting could be have further exposure including unauthorized device access, and unauthorized data access.

We believe that the current risk associated with Heartbleed and the device would be classified as LOW RISK for many of our customers. However, risk needs to be determined by the end customer and how they have chosen to deploy the device within their environment. We make this determination based on the following criteria:

• Most customers have deployed the devices within a network that is not reachable from the Internet. This significantly reduces the number of attacks against the Internal Web service.
• The HTTPS service on the device is by default installed with a self-signed CA certificate. This certificate in its default mode is not protecting the integrity of the device, and would not be considered a viable target for theft.
• Many devices have only a few users for authentication, and if someone were to attack the device, chances are that the user information may not be in memory, as it is rare that a device has many active users using the web interface at the same time. We believe that this does not present a significant viable target for theft.
• To take advantage of the vulnerability, typically the OpenSSL libraries need to be used in a “server” function. Most of the functions on a device use the OpenSSL library as a “Client” side library. It is possible to exploit this from the client side, but this would require a Man in the Middle (MitM) attack.

Suggested Steps to Protect Your Devices
 

To fix or mitigate devices affected by this vulnerability, we suggest the following steps.

Fixing Devices 
 

All of the following functions listed below are available via Digi Device Cloud.  Device Cloud is a management platform providing the capability to perform device management functions to your installed base of devices regardless of their location.  How-to guides will be available at www.digi.com/heartbleed.

Update Firmware. The recommended fix for Heartbleed for our devices is to update to a fixed Firmware version. Digi is releasing new firmware versions for all of the affected devices. Check this notice for firmware release versions and dates. You can also visitwww.digi.com/support for more information specific to your device. We would also recommend subscribing to the RSS feed on the support site for your product to get immediate notice of any new firmware or document releases specific to your product.

Change Certificates. If the device has the https service enabled, and you have deployed your own private key and certificates to the web interface, we recommend that you change the certificate. (Make sure that you have updated to an unaffected Firmware Version first)

Change Passwords. Change all password associated with the device. This includes device user passwords. If using TACACS or RADIUS, make sure that you change the user passwords as well as the shared secret. If your device has any VPN tunnels configured, please change these passwords and/or tokens as well.

Mitigation Steps
 

If a firmware update is not available, we recommend the following steps to mitigate against the vulnerability. Disclaimer: Because of the many different customer configurations, this list cannot be guaranteed to mitigate fully against this threat. It is up to the customer to validate that all of these steps will mitigate against the Heartbleed vulnerability.

All of the following functions listed below are available via Digi Device Cloud.  Digi Device Cloud is a management platform providing the capability to perform device management functions to your installed base of devices regardless of their location.  How-to guides will be available at www.digi.com/heartbleed.

Disable the Web Service. Disabling the HTTPS service and still maintaining manageability on the device can be accomplished in a number of ways. You can either manage the device through a command line service like SSH, or use a Device Cloud account to centrally manage all of your devices. Further, if your https service is enabled, and on a public IP on the Internet. You need to restrict or disable the https web interface to specific IPs.

Change Passwords. Change all password associated with the device. This includes device user passwords. If using TACACS or RADIUS, make sure that you change the user passwords as well as the shared secret. If your device has any VPN tunnels configured, please change these passwords and/or tokens as well.

Check Services. If you have implemented any https services within Python, please evaluate your code and make sure that it is not impacted. If you have shell scripting that uses the OpenSSL commands, please make sure that you have mitigated the Heartbeat TLS extension.

Resources for Heartbleed

If you are interested in learning more about the disclosure, please feel free to visit the web pages below:

• Codenomicon’s original disclosure with FAQ
• NIST’s National Vulnerability Database
• Heartbleedinformation
• Heartbleed Testing Website

If you have any other questions regarding this vulnerability and the Digi Device Cloud product, feel free to contact us at cloud.security@digi.com.