Digi PortServer TS 16

Plan Patch9.6ICS-CERT ICSA-21-257-01Sep 14, 2021

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Digi PortServer TS 16 contains an authentication bypass vulnerability that allows unauthenticated attackers to gain write access to device settings and execute arbitrary commands via the command line interface. This grants full control of the device and any serial communications it manages. The PortServer TS 16 was discontinued in 2016 and is no longer supported by Digi. No vendor patch is available. Exploitation requires only network access to the device; no credentials are needed.

What this means

What could happen

An attacker with network access to a PortServer TS 16 device could gain control of its settings and execute arbitrary commands on the device, potentially disrupting or diverting serial communications to connected equipment like PLCs, RTUs, or modems.

Who's at risk

Water utilities and electric utilities using Digi PortServer TS 16 devices for serial device management (connecting to legacy PLCs, RTUs, modems, or serial sensors). Any organization relying on this end-of-life product for process control or SCADA communication is at risk.

How it could be exploited

An attacker on the local network (or remote if the device is exposed to the Internet) can connect to the PortServer TS 16 without authentication and exploit the authentication bypass vulnerability to write settings and execute commands via the command line interface. This could allow redirection or manipulation of serial traffic destined for your control devices.

Prerequisites

Network access to PortServer TS 16 (local network or Internet if exposed)
No authentication required

No authentication requiredNo patch available (end-of-life product)Remotely exploitable if network-exposedAffects control system devicesLow complexity exploitationUnauthenticated access to command execution

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (2)

2 pending

ProductAffected VersionsFix Status

PortServer TS 16: Firmware82000684No fix yet

PortServer TS 16: Firmware82000685No fix yet

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDIf upgrade is not immediately possible, restrict network access to PortServer TS 16 devices using firewall rules to only trusted engineering workstations or jump hosts

HARDENINGIsolate PortServer TS 16 devices from the Internet; do not expose the device to WAN or Internet-facing networks

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to a supported Digi PortServer product line to replace end-of-life TS 16 devices

HARDENINGSegment PortServer TS 16 devices to a separate, controlled network isolated from corporate business systems

HARDENINGIf remote access to PortServer TS 16 is required, use a VPN with strong encryption and MFA to a secure jump host, and keep VPN software patched

CVEs (1)

CVE-2021-38412

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/aef14af8-fc97-454a-a81c-b6946c1d56e5