SECURITY VULNERABILITY CVE-2016-5696: OFF-PATH ATTACK

A new vulnerability has arisen that has attracted significant attention. As always, Digi tracks all vulnerabilities that emerge and reviews these security issues regarding their impact on Digi products. In our analyses, we assess how customers use our products and the legitimate risk that the vulnerability presents.
The security issue is a vulnerability called “CVE-2016-5696,” an off-path vulnerability. This vulnerability stems from a recent TCP specification change for Global Rate Limit (RFC-5961) that could enable an attacker to infer the TCP sequence numbers used from both sides of the connection. With this information, an attacker could inject data into a TCP session. Since this is design flaw, chances are, many up-to-date implementations of TCP will have this issue. As a result, many Digi devices may be vulnerable. We are aware of some DEL and YOCTO versions of our products that are vulnerable and patches are in the works for those systems.
 
What's the Real Risk?
Fortunately, this particular type of attack doesn't really have a threat behind it. A Digi customer that follows standard practices for secure designs should not encounter significant risks. One reason is that Digi assumes that, for every TCP connection made to a device, someone is listening. This attack takes it to the next level, which means someone could either take over the communication or inject data. If we assume good practices are followed, the data within this stream is TLS or encrypted. Even if a hacker could inject into this stream, TLS protects the integrity of the stream and the attack fails. Of course, if the connection is through FTP or TELNET, which are insecure, then the attack could be problematic. However, if you are running on insecure protocols, there are other issues that must be addressed, and we’d strongly recommend reconfiguration before taking any remediation steps.
The other potential risk is through a denial of service (DoS) attack, which are the easiest to generate and the hardest to defend. Although this vulnerability may persist, it is likely a minimal risk, because confidentiality and integrity are still intact with the device.
 
Response
Digi recommends that all vulnerable Digi devices be patched against this vulnerability due to the DoS risk. However, this patching will be completed within our standard update cycles. If you have a special situation that requires further attention, please contact security@digi.com with your details.