CISA-Published Industrial Control System Vulnerabilities
Digi RealPort Protocol
1. EXECUTIVE SUMMARY
CVSS v3 9.0
ATTENTION: Exploitable remotely
Vendor: Digi International, Inc.
Equipment: Digi RealPort Protocol
Vulnerability: Use of Password Hash Instead of Password for Authentication
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow the attacker to access connected equipment.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Digi International reports that the following products using Digi RealPort Protocol are affected:
Digi RealPort for Windows: version 4.8.488.0 and earlier
Digi RealPort for Linux: version 1.9-40 and earlier
Digi ConnectPort TS 8/16: versions prior to 2.26.2.4
Digi Passport Console Server: all versions
Digi ConnectPort LTS 8/16/32: versions prior to 1.4.9
Digi CM Console Server: all versions
Digi PortServer TS: all versions
Digi PortServer TS MEI: all versions
Digi PortServer TS MEI Hardened: all versions
Digi PortServer TS M MEI: all versions
Digi PortServer TS P MEI: all versions
Digi One IAP Family: all versions
Digi One IA: all versions
Digi One SP IA: all versions
Digi One SP: all versions
Digi WR31: all versions
Digi WR11 XT: all versions
Digi WR44 R: all versions
Digi WR21: all versions
Digi Connect ES: versions prior to 2.26.2.4
Digi Connect SP: all versions
Digi International reports that the following products do NOT use Digi RealPort Protocol are NOT affected:
Digi 6350-SR: all versions
Digi ConnectCore 8X products: all versions
3.2 VULNERABILITY OVERVIEW
3.2.1 USE OF PASSWORD HASH INSTEAD OF PASSWORD FOR AUTHENTICATION CWE-836
Digi RealPort Protocol is vulnerable to a replay attack that may allow an attacker to bypass authentication to access connected equipment.
CVE-2023-4299 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).
3.3 BACKGROUND
CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER
Reid Wightman of Dragos, Inc reported this vulnerability to Digi International.
4. MITIGATIONS
Digi International recommends users acquire and install patches that they have made available for the following products:
RealPort software for Windows: Fixed in 4.10.490
Digi ConnectPort TS 8/16: Fixed in firmware version 2.26.2.4
Digi ConnectPort LTS 8/16/32: Fixed in version 1.4.9
Digi Connect ES: Fixed in firmware version 2.26.2.4
For more information, see the customer notification document published by Digi International.
Dragos recommends restricting access to Digi devices on TCP/771 (default) or TCP/1027 (if encryption is enabled, this is the default port). Only allow the workstations which initiate RealPort connections to communicate to the field equipment on those ports. Note that most of Digi’s devices allow you to change the setting for which TCP port the RealPort service runs on, so end users should consult their device configuration and restrict access to the configured port if it is not the default.
If using the system in ‘reverse’ mode, where the Digi device calls back to the Windows or Linux workstation, then Dragos recommends restricting access to the workstation on TCP/771 or TCP/1027 to known Digi RealPort devices on your network. This port may be configured by end users, so consult the workstation and device configurations to ensure coverage.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.