Lantronix XPort

Monitor5.7ICS-CERT ICSA-24-023-05Jan 23, 2024

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

The Lantronix XPort Device Server Configuration Manager contains a credential disclosure vulnerability (CWE-261) where credentials can be obtained through unauthenticated access. The vulnerability stems from weak or missing encryption on credential data. Lantronix has classified XPort as legacy product end-of-life and does not plan to release a security patch. The vendor recommends migration to xPort Edge for organizations requiring stronger encryption and TLS/SSL support.

What this means

What could happen

An attacker on your network could steal credentials stored or transmitted by the XPort Device Server Configuration Manager, potentially gaining unauthorized access to your network devices and systems.

Who's at risk

Water utilities and municipal electric utilities using legacy Lantronix XPort Device Servers for remote device management and configuration. This particularly affects organizations that manage serial-to-network converters or terminal servers in SCADA or other industrial network environments where XPort is used for out-of-band management.

How it could be exploited

An attacker with access to the local network (adjacent network segment) could intercept or capture credentials transmitted without encryption by the XPort Configuration Manager. This requires user interaction (e.g., opening a configuration interface or performing a task that transmits credentials).

Prerequisites

Access to the local network segment or adjacent network where XPort Device Server is deployed
User must be actively using the XPort Configuration Manager interface
Credentials must be transmitted during normal operation

No patch available for end-of-life productAdjacent network access required (less critical than remote, but still a concern in shared data center environments)Weak or no encryption on credential transmissionLegacy product not designed for modern security standards

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

XPort Device Server Configuration Manager: 2.0.0.132.0.0.13No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGRestrict network access to XPort Device Server Configuration Manager using firewall rules—allow only from designated engineering workstations on a segmented management network

WORKAROUNDIf remote management is required, route all XPort Configuration Manager traffic through a VPN with current patches and strong encryption

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade from XPort legacy product to xPort Edge, which provides stronger encryption and TLS/SSL support

Mitigations - no patch available

0/1

XPort Device Server Configuration Manager: 2.0.0.13 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate XPort Device Server and its configuration interface on a separate network segment from general IT/business networks

CVEs (1)

CVE-2023-7237

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8caad979-cfbd-4888-a75e-bb351c23c8dd