Digi International OpenSSL Vulnerability

Act NowICS-CERT ICSA-14-128-01Feb 8, 2014

Summary

Digi International products (ConnectPort LTS, ConnectPort X2e, Digi Embedded Linux 5.9, Digi Embedded Yocto 1.4, and Wireless Vehicle Bus Adapter) contain a buffer overflow vulnerability in OpenSSL (CWE-119). The vulnerability is actively being exploited in the wild. No patches are available from the vendor; ConnectPort LTS and X2e are end-of-life products. Digi Embedded Linux 5.9 and Yocto 1.4 are also affected with no vendor fix planned. The Wireless Vehicle Bus Adapter has no fix available for any version.

What this means

What could happen

An attacker could execute arbitrary code on Digi gateway and embedded devices that run exposed OpenSSL libraries, potentially allowing them to intercept communications, manipulate configuration, or take the device offline.

Who's at risk

Water utilities and municipal electric providers relying on Digi ConnectPort gateway devices (LTS, X2e models), wireless field equipment using the Wireless Vehicle Bus Adapter, or industrial systems running Digi Embedded Linux or Yocto distributions should assess their exposure immediately. This affects remote management, SCADA data aggregation, and field device communication infrastructure.

How it could be exploited

An attacker on the network identifies a Digi device (ConnectPort, WVA, or system running Digi Embedded Linux/Yocto) and targets the vulnerable OpenSSL library running on the device. The attacker sends a specially crafted message to trigger a buffer overflow or memory corruption flaw, gaining code execution on the device.

Prerequisites

Network reachability to the Digi device on ports used by OpenSSL services (typically 443 or proprietary Digi management ports)
No authentication required for the OpenSSL vulnerability itself

Remotely exploitableNo authentication requiredActively exploited (KEV)Very high EPSS score (94.5%)No patch available (end-of-life products)Affects gateway/control infrastructure

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (5)

4 pending1 EOL

ProductAffected VersionsFix Status

ConnectPort: LTSLTSNo fix yet

ConnectPort: X2eX2eNo fix yet

Digi Embedded Linux: 5.95.9No fix yet

Digi Embedded Yocto: 1.41.4No fix yet

Wireless Vehicle Bus Adapter (WVA): vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/4

HARDENINGReplace or physically isolate ConnectPort LTS and X2e devices; no vendor patch will be released for these end-of-life products

HARDENINGIsolate devices running Digi Embedded Linux 5.9 and Digi Embedded Yocto 1.4 from untrusted networks using firewall rules or network segmentation; monitor for exploitation attempts

WORKAROUNDDisable or restrict remote management access to all affected Digi devices until they can be replaced or patched

HARDENINGMonitor network traffic to and from Digi devices for suspicious connection attempts or unusual behavior

Mitigations - no patch available

0/1

Wireless Vehicle Bus Adapter (WVA): vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGDevelop a device replacement timeline for ConnectPort LTS/X2e and plan firmware updates for Digi Embedded Linux/Yocto systems if any future patches become available

CVEs (1)

CVE-2014-0160

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/99e83d8a-d2f1-49b4-8116-a32c79a4c1c3