Digi RealPort Protocol is vulnerable to a replay attack that may allow an attacker to bypass authentication to access connected equipment.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

Vendors Products
Digi
  • Cm
  • Cm Firmware
  • Connect Es
  • Connect Es Firmware
  • Connect Sp
  • Connect Sp Firmware
  • Connectport Lts 8\/16\/32
  • Connectport Lts 8\/16\/32 Firmware
  • Connectport Ts 8\/16
  • Connectport Ts 8\/16 Firmware
  • One Ia
  • One Ia Firmware
  • One Iap
  • One Iap Firmware
  • One Sp
  • One Sp Firmware
  • One Sp Ia
  • One Sp Ia Firmware
  • Passport
  • Passport Firmware
  • Portserver Ts
  • Portserver Ts Firmware
  • Portserver Ts M Mei
  • Portserver Ts M Mei Firmware
  • Portserver Ts Mei
  • Portserver Ts Mei Firmware
  • Portserver Ts Mei Hardened
  • Portserver Ts Mei Hardened Firmware
  • Portserver Ts P Mei
  • Portserver Ts P Mei Firmware
  • Realport
  • Transport Wr11 Xt
  • Transport Wr11 Xt Firmware
  • Wr21
  • Wr21 Firmware
  • Wr31
  • Wr31 Firmware
  • Wr44 R
  • Wr44 R Firmware

Configuration 1 [-]

OR cpe:2.3:a:digi:realport:*:*:*:*:*:linux:*:*
cpe:2.3:a:digi:realport:*:*:*:*:*:windows:*:*

Configuration 2 [-]

AND
cpe:2.3:o:digi:connectport_ts_8\/16_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:digi:connectport_ts_8\/16:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND
cpe:2.3:o:digi:passport_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:passport:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND
cpe:2.3:o:digi:connectport_lts_8\/16\/32_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:digi:connectport_lts_8\/16\/32:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND
cpe:2.3:o:digi:cm_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:cm:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND
cpe:2.3:o:digi:portserver_ts_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:portserver_ts:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND
cpe:2.3:o:digi:portserver_ts_mei_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:portserver_ts_mei:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND
cpe:2.3:o:digi:portserver_ts_mei_hardened_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:portserver_ts_mei_hardened:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND
cpe:2.3:o:digi:portserver_ts_m_mei_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:portserver_ts_m_mei:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND
cpe:2.3:o:digi:portserver_ts_p_mei_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:portserver_ts_p_mei:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND
cpe:2.3:o:digi:one_iap_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:one_iap:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND
cpe:2.3:o:digi:one_ia_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:one_ia:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND
cpe:2.3:o:digi:one_sp_ia_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:one_sp_ia:-:*:*:*:*:*:*:*

Configuration 14 [-]

AND
cpe:2.3:o:digi:one_sp_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:one_sp:-:*:*:*:*:*:*:*

Configuration 15 [-]

AND
cpe:2.3:o:digi:wr31_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:wr31:-:*:*:*:*:*:*:*

Configuration 16 [-]

AND
cpe:2.3:o:digi:transport_wr11_xt_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:transport_wr11_xt:-:*:*:*:*:*:*:*

Configuration 17 [-]

AND
cpe:2.3:o:digi:wr44_r_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:wr44_r:-:*:*:*:*:*:*:*

Configuration 18 [-]

AND
cpe:2.3:o:digi:wr21_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:wr21:-:*:*:*:*:*:*:*

Configuration 19 [-]

AND
cpe:2.3:o:digi:connect_es_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:digi:connect_es:-:*:*:*:*:*:*:*

Configuration 20 [-]

AND
cpe:2.3:o:digi:connect_sp_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:connect_sp:-:*:*:*:*:*:*:*

No data.

No data.

Fixes

Solution

Digi International recommends users acquire and install patches that they have made available for the following products: * ​RealPort software for Windows: Fixed in 4.10.490 * ​Digi ConnectPort TS 8/16: Fixed in firmware version 2.26.2.4 * ​Digi ConnectPort LTS 8/16/32: Fixed in version 1.4.9 * ​Digi Connect ES: Fixed in firmware version 2.26.2.4 ​For more information, see the customer notification document https://www.digi.com/getattachment/resources/security/alerts/realport-cves/Dragos-Disclosure-Statement.pdf  published by Digi International.

Workaround

Dragos recommends restricting access to Digi devices on TCP/771 (default) or TCP/1027 (if encryption is enabled, this is the default port). Only allow the workstations which initiate RealPort connections to communicate to the field equipment on those ports. Note that most of Digi's devices allow you to change the setting for which TCP port the RealPort service runs on, so end users should consult their device configuration and restrict access to the configured port if it is not the default. ​If using the system in 'reverse' mode, where the Digi device calls back to the Windows or Linux workstation, then Dragos recommends restricting access to the workstation on TCP/771 or TCP/1027 to known Digi RealPort devices on your network. This port may be configured by end users, so consult the workstation and device configurations to ensure coverage.

References
Link Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-04 cve-icon cve-icon
https://www.digi.com/getattachment/resources/security/alerts/realport-cves/Dragos-Disclosure-Statement.pdf cve-icon cve-icon
History

Thu, 16 Jan 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2025-01-16T21:30:37.810Z

Reserved: 2023-08-10T20:14:27.489Z

Link: CVE-2023-4299

cve-icon Vulnrichment

Updated: 2024-08-02T07:24:04.616Z

cve-icon NVD

Status : Modified

Published: 2023-08-31T21:15:09.183

Modified: 2024-11-21T08:34:48.760

Link: CVE-2023-4299

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.