Digi Mitigates Heartbleed Hole

Monday, May 12, 2014 @ 06:05 PM gHale

Digi International found five products vulnerable to the OpenSSL Heartbleed bug and created downloadable firmware upgrade versions that mitigate this remotely exploitable vulnerability, according to a report on ICS-CERT.

The following Digi International products suffer from the issue:
• ConnectPort LTS
• ConnectPort X2e
• Digi Embedded Linux 5.9
• Digi Embedded Yocto 1.4
• Wireless Vehicle Bus Adapter (WVA)

A missing bounds check in the handling of the TLS Heartbeat extension can reveal up to 64kB of memory on a connected device. An attacker who successfully exploits this vulnerability may obtain the user credentials and cryptographic keys used to access the device.

ABB Working Toward Heartbleed Patch
Ecava Info Disclosure Vulnerability
Siemens Updates Heartbleed Fixes
Siemens Fixing Heartbleed Vulnerability

Digi International is a U.S.-based company located in Minnetonka, MN. It maintains offices in Europe, Middle East, Africa, Asia, and Latin America.

Digi International is a provider of machine-to-machine (M2M) cloud products and services, using wired and wireless technologies. Digi International acquired Etherios in 2013. Digi International uses vulnerable versions of OpenSSL.

The affected Digi International products are wireless web/mesh-based SCADA communication systems. Digi’s products end up deployed across several sectors including commercial facilities, communications, critical manufacturing, energy, transportation systems among others.

The Heartbleed bug could allow attackers to read unallocated memory of OpenSSL running processes. This could reveal data like transmitted data, passwords, or private keys.

CVE-2014-0160 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.

Exploits that target this vulnerability are publicly available and an attacker with a moderate skill would be able to exploit this vulnerability.

Digi International published a Security Notice OpenSSL “Heartbleed” on April 14.

Recommended firmware updates for most vulnerable Digi International devices are on the Digi International technical support site.

The Digi OpenSSL Heartbleed fix for Digi Embedded Yocto 1.4 is available in the github repositories, and click here for instructions for this update.

All products vulnerable to the OpenSSL Heartbleed bug can also get access via Device Cloud by Etherios. Device Cloud is a management platform providing the capability to perform device management functions to installed base of devices regardless of location.

Digi International recommends the following defensive measures:
• Update Firmware. The recommended fix for Heartbleed for Digi International devices is to update to a fixed firmware version update, available on the support www.digi.com/support web site.
• Change Certificates. If the user enabled HTTPS service, and the user has deployed a private key and certificate to the web interface (highly recommended), change the certificate at this time and update to an unaffected firmware version prior to changing the private key certificates.
• Change Passwords. If HTTPS service ended up enabled, change all passwords associated with the affected device, including device user passwords. If using TACACS or RADIUS, change the user passwords as well as the shared secret. If VPN sees use in this configuration, change the passwords and/or tokens.
• Disable the Web Service. Disabling the HTTPS service and still maintaining manageability on the device can occur in a number of ways. Manage the device through a command line service like SSH, or use a Device Cloud account to centrally manage all the devices. Further, if HTTPS service ends up enabled and on a public IP on the Internet, restrict or disable the HTTPS web interface to specific IPs.
• Check Services. If any HTTPS services are within Python, please evaluate the code and make sure it does not suffer any impact. If shell scripting uses the OpenSSL commands, please ensure to mitigate the Heartbeat TLS extension.

Leave a Reply

You must be logged in to post a comment.