Digi International Security NoticeCVE-2014-3566 October 28th, 2014
A security vulnerability nicknamed "POODLE" CVE-2014-3566, was announced on October 14th, 2014. We have had many inquiries about this vulnerability and the impact on our products. This vulnerability has been overall classified as a medium risk (CVSSv3 score of 4.3) by US-CERT. The purpose of this notice is to inform our end users of the vulnerability, which devices are impacted, what steps our end users can do to mitigate the risk, and to inform you of what Digi will be doing to fix this issue. In our testing of this vulnerability and our products, we found that there was not a single case in where a remote attacker could gain unauthorized access to end devices or services. Digi has rated the exploitability of this vulnerability as VERY LOW.
The security teams at Digi has evaluated the exposure of the vulnerability to Digi products and determined the overall risk to this vulnerability to our products is very low. We have found that many of our products are affected by this vulnerability. In all cases with this vulnerability, we found that no services or products are remotely exploitable. The following products are impacted:
Following best security practices, Digi will be fixing this vulnerability in all of our supported products. Digi recommends that all of its customers update their products to the new firmware versions when released. Please check the release notes for your specific product. For some of our products and services, this will be deployed in our next scheduled release.
- ConnectPort LTS
- Digi Passport
- Digi CM
- Connect WAN, WAN 3G, ES, SP/Wi-SP, N2S
- ConnectPort X2, X2e, X4, X4H, X5, WAN, TS
- PortServer TS
- Anywhere USB
- WiFi Vehicle Bus Adapter
- TransPort routers
- Rabbit Products
- Sarian Systems routers running SarOS
- Digi Embedded Linux Products
- Digi Device Cloud (Only the Web Frontend and REST/WebServices)
Products Not Affected
The following Digi products and services are not affected by this vulnerability:
Note: If you have any questions on any Digi products and services that are not listed, please contact us at +1 (952) 912-3456, or via the web site at www.digi.com/support.Detailed Information on Affected products
- Digi Cloud Connector
- www.digi.com Website
- Social Machine
- www.digi.com Main Website
Digi International maintains a security team that will continue to review new results as they are found from this threat, and test our solutions and products for any new and emerging security vulnerabilities. Security is a top priority and something we take very seriously.
In our analysis, we have found that many of our devices are impacted. That is to say, that the majority of our devices, have a web management front end, and that web front end supports the SSLv3 standards.In reviewing the mitigating strategies on how to fix our devices and services, there were two suggestions on how to fix this. The first suggestion was to disable SSLv3 services on web servers. The other way to resolve this was to fix the SSLv3 libraries themselves, which would require a re-compile for most implementations. Also, for this fix, a new extension called TLS_FALLBACK_SCSV would be added. Upon further review of other SSLv3 protocols, and other attacks such as BEAST, we decided to conduct a survey of the SSLv3 protocol use of our customers with our products and services. In conclusion, we found very little SSLV3 use from our customers. We were also aware that continued support of SSLv3 would probably put us right back into the same condition sooner or later. The decision to remove SSLv3 support from our products and services was chosen as the path that we wanted to support. This has the advantages of removing future issues, as well as mitigating BEAST like attacks as well.In reviewing our products and services, we have used various commercial scanners, as well as manual methods to conduct these tests and determine our results. For POODLE, we have classified the risk as very low to our devices, and low to our cloud services. We are taking the approach to immediately build new firmware versions to fix this vulnerability, and suggest to our customers that they update as soon as possible. In some cases, the fix can be more considerable work, and we have scheduled this fix to be in our next regular release of firmware. However, we have been able to get this fixed quite quickly for our core products.Below is our analysis of the threat, the risk of what may be exposed, and how we recommend our customers mitigate the threat.
• This vulnerability is essentially similar to CVE-2011-3389 (BEAST), relying on the same approach. The most recent CVE only changes the method slightly.• There has been no evidence to date that this attack is happening in the wild… in fact, because of the difficulty, there is no known public exploit code available at this time. Although this may eventually change, chances are that it may not because of the unreliability and difficulty of pulling the attack off.• To conduct this exploit, the attacker must be in the middle of the client and server communication, and alter the data flowing between these hosts. With many secure networks, this is a very difficult thing to do. Effectively, this attack is not a “remote” attack. If someone has already penetrated the network to this level, chances are, other more critical targets would be the target of attack. • To conduct this attack, a number of SSL sessions have to be intercepted and altered to “restore” the data. In the attack, this is describes as 256 SSLv3 requests per byte of restored data. To retrieve an entire session cookie of encrypted stat, this would take on the order of 50 thousand separate SSLv3 requests. With a small device, and very few sessions, this puts the risk much lower than say a web site hosting many users.
For every vulnerability, we review each one carefully to determine the impact to our devices and services. We try to make a recommendation to our customers on the anticipated impact of these vulnerabilities. However, since we do not know each specific configuration and data that our customers are using for our products and services, it is always suggested that the customer review their unique situation and understand what the risk could be to their environment.
- Ability to decrypt a device management session, possibly gaining configuration data, and even possibly the ability to get full access to manage the remote device.
- Possibility of data decryption with secure communications from a field device to an external vulnerable web server.
Functions NOT impacted:
Below is a list of functions that are not impacted. This is not a complete list, but is meant to call out functions that customers may be concerned with that we have determined that are not affected.
- The device client connection to the Digi Device Cloud
For specific risks to Digi International products, we have classified the risk of POODLE to our products as VERY LOW. Further, for our device cloud, we have rated that as a LOW risk. During our testing, we were not able to find any remote exploits that this vulnerability has created. Although US-CERT has rated this vulnerability as the highest (CVSS of 4.3), we believe the real threat with our devices is much lower.Risk of POODLE to our products and services are:
Risk needs to be determined by the end customer and how they have chosen to deploy the device within their environment. We make this determination based on the following criteria:
- Man in the Middle attacks to the management interface of a device could compromise the config data, and possibly the access to the device.
- Devices that have internal programs that communicate with customer owned vulnerable web sites could be attacked with a Man in the Middle, to gain access to that data stream.
- Device Cloud services could be attacked with a Man in the Middle attack to gain access to the Device Cloud accounts. This could allow full access to field devices to the attacker.
- Most customers have deployed the devices within a network that is not reachable from the Internet.
- The vulnerability is not remotely exploitable. For each case tested, full access to the device was needed to even see the vulnerability.
- A reliable practical attack has yet to be available. This puts the skill level for the attacker to be an expert in the field.
- For the Device Cloud, this was elevated, as there is more of an attack surface, and more opportunities for attack. (Special Note: We have already taken steps to mitigate this risk)
Suggested Steps to Protect Your Devices
To fix or mitigate devices affected by this vulnerability, we suggest the following steps.Fixing Devices
Update FirmwareThe recommended fix for our devices is to update to a fixed Firmware version. Digi is releasing new firmware versions for all of the affected devices. Check this notice for firmware release versions and dates. You can also visit www.digi.com/support for more information specific to your device. We would also recommend subscribing to the RSS feed on the support site for your product to get immediate notice of any new firmware or document releases specific to your product.
If a firmware update is not available, for most devices, we currently do not have any recommendation to mitigate this vulnerability.For Transport devices, it is possible for the end user to configure the HTTPS web services to support TLSv1 only. This is done under the Configuration – network > SSL -> SSL Server -> SSL Version.For Rabbit devices, it is possible for the end user to disable SSLv3. Please see the documentation at : http://www.digi.com/support/productdetail?pid=4969
Resources for POODLE
If you are interested in learning more about the disclosure, please feel free to visit the web pages below:
If you have any other questions regarding this vulnerability and how it affects Digi hardware products and the Digi Device Cloud, feel free to contact us at firstname.lastname@example.org