Date: 28-September-2021
Updated Date: 31-December-2021
Updated Date: 08-May-2023 to remove ConnectCore 8 from the list of affected products, updated RealPort software for Linux to show affected versions

Vendor: Digi International

Products affected: 
RealPort software for Windows, version 4.10.490 and earlier
RealPort software for Linux, version 1.9-41 and earlier
Digi ConnectPort TS 8/16, all versions
Digi Passport Console Server, all versions
Digi ConnectPort LTS 8/16/32, all versions
Digi CM Console Server, all versions
Digi PortServer TS, all versions
Digi PortServer TS MEI, all versions
Digi PortServer TS MEI Hardened, all versions
Digi PortServer TS M MEI, all versions
Digi 6350-SR, all versions
Digi PortServer TS P MEI, all versions
Digi WR11 XT, all versions
Digi One IAP Family, all versions
Digi One IA, all versions
Digi WR31, all versions
Digi WR44 R, all versions
Digi Connect ES, all versions
Digi WR21, all versions
Likely: All Digi products which support the RealPort service and have it enabled.
Note: Some third-party products make use of Digi hardware but do not brand it as such. To determine if your system is vulnerable, see Description below.

Product URL: https://www.digi.com/support/knowledge-base/what-is-realport

Vulnerabilities Summary:

RealPort software for Windows is vulnerable to a buffer overrun when parsing response messages during device setup. This may result in arbitrary code execution. CVE-2021-35977. CVSSv3 8.0 (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). 

RealPort encryption mode is vulnerable to man-in-the-middle. CVE-2021-35979. CVSSv3 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). Note: this issue is partially fixed in RealPort software 4.10.490 for Windows and 1.9-41 for Linux by adding certificate pinning.

RealPort authentication mode has a weakness which allows offline bruteforce attack. CVE-2021-36767. CVSSv3 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

Description:

For further details, see Dragos advisory VA-2021-10 or contact intel@dragos.com.