CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
99.9%
Digi International has identified five products that are vulnerable to the OpenSSL Heartbleed bug. Digi International has produced downloadable firmware upgrade versions that mitigate this vulnerability.
This vulnerability could be exploited remotely. Exploits that target this vulnerability are known to be publicly available.
The following Digi International products are affected:
A missing bounds check in the handling of the TLS Heartbeat extension can be used to reveal up to 64kB of memory on a connected device. An attacker who successfully exploits this vulnerability may obtain the user credentials and cryptographic keys used to access the device.
Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.
Digi International is a US-based company located in Minnetonka, Minnesota. It maintains offices in Europe, Middle East, Africa, Asia, and Latin America.
Digi International is a provider of machine-to-machine (M2M) cloud products and services, using both wired and wireless technologies. Digi International acquired Etherios in 2013. Digi International uses vulnerable versions of OpenSSL.
The affected Digi International products are wireless web/mesh-based SCADA communication systems. According to Digi International, their products are deployed across several sectors including Commercial Facilities, Communications, Critical Manufacturing, Energy, Transportation Systems, and others.
The Heartbleed bug could allow attackers to read unallocated memory of OpenSSL running processes. This could reveal data like transmitted data, passwords, or private keys.
CVE-2014-0160NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160, web site last accessed May 08, 2014. has been assigned to this vulnerability. A CVSS v2 base score of 5.0 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:P/I:N/A:N).CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:P/I:N/A:N , web site last accessed May 08, 2014.
This vulnerability could be exploited remotely.
Exploits that target this vulnerability are publicly available.
An attacker with a moderate skill would be able to exploit this vulnerability.
Digi International published a Security Notice OpenSSL “Heartbleed” on April 14, 2014, updated on April 18, 2014, at the following URL:
<http://www.digi.com/support/kbase/kbaseresultdetl?id=3564>
Recommended firmware updates for most vulnerable Digi International devices are located on the Digi International technical support site, at URL:
The Digi OpenSSL Heartbleed fix for Digi Embedded Yocto 1.4 is available in the github repositories, and instructions for this update are at URL:
<http://www.digi.com/support/kbase/kbaseresultdetl?id=3566>
All products vulnerable to the OpenSSL Heartbleed bug can also be accessed via Device Cloud by Etherios. Device Cloud is a management platform providing the capability to perform device management functions to installed base of devices regardless of location.
Digi International also recommends subscribing to the RSS feed on the support site for Digi International products to get immediate notice of any new firmware or document releases specific to Digi International product updates.
Digi International recommends the following defensive measures:
ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page at: http://ics-cert.us-cert.gov/content/recommended-practices. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Mitigation Strategies, that is available for download from the ICS-CERT web site (http://ics-cert.us-cert.gov/).
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
www.digi.com/support
www.digi.com/support
www.digi.com/support/kbase/kbaseresultdetl?id=3564
www.digi.com/support/kbase/kbaseresultdetl?id=3566
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/ics-advisories/icsa-14-128-01
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Digi%20International%20OpenSSL%20Vulnerability+https://www.cisa.gov/news-events/ics-advisories/icsa-14-128-01
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-14-128-01&title=Digi%20International%20OpenSSL%20Vulnerability
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-14-128-01
www.oig.dhs.gov/
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Digi%20International%20OpenSSL%20Vulnerability&body=www.cisa.gov/news-events/ics-advisories/icsa-14-128-01
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
99.9%