Digi RealPort Protocol is vulnerable to a replay attack that may allow an attacker to bypass authentication to access connected equipment.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00018.

Exploitation none

Automatable no

Technical Impact total

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
Digi International Digi RealPort unaffected
Version Status Constraints
0 affected ≤ 4.8.488.0
Digi International Digi RealPort unaffected
Version Status Constraints
0 affected ≤ 1.9-40
Digi International Digi ConnectPort TS 8/16 unaffected
Version Status Constraints
0 affected < 2.26.2.4
Digi International Digi Passport Console Server unaffected
Version Status Constraints
all versions affected
Digi International Digi ConnectPort LTS 8/16/32 unaffected
Version Status Constraints
0 affected < 1.4.9
Digi International Digi CM Console Server unaffected
Version Status Constraints
all versions affected
Digi International Digi PortServer TS unaffected
Version Status Constraints
all versions affected
Digi International Digi PortServer TS MEI unaffected
Version Status Constraints
all versions affected
Digi International Digi PortServer TS MEI Hardened unaffected
Version Status Constraints
all versions affected
Digi International Digi PortServer TS M MEI unaffected
Version Status Constraints
all versions affected
Digi International Digi PortServer TS P MEI unaffected
Version Status Constraints
all versions affected
Digi International Digi One IAP Family unaffected
Version Status Constraints
all versions affected
Digi International Digi One IA unaffected
Version Status Constraints
all versions affected
Digi International Digi One SP IA unaffected
Version Status Constraints
all versions affected
Digi International ​Digi One SP unaffected
Version Status Constraints
all versions affected
Digi International Digi WR31 unaffected
Version Status Constraints
all versions affected
Digi International Digi WR11 XT unaffected
Version Status Constraints
all versions affected
Digi International Digi WR44 R unaffected
Version Status Constraints
all versions affected
Digi International Digi WR21 unaffected
Version Status Constraints
all versions affected
Digi International Digi Connect ES unaffected
Version Status Constraints
0 affected < 2.26.2.4
Digi International Digi Connect SP unaffected
Version Status Constraints
all versions affected
Digi International Digi 6350-SR unaffected
Version Status Constraints
all versions unaffected
Digi International Digi ConnectCore 8X products unaffected
Version Status Constraints
all versions unaffected

Configuration 1 [-]

OR cpe:2.3:a:digi:realport:*:*:*:*:*:linux:*:*
cpe:2.3:a:digi:realport:*:*:*:*:*:windows:*:*

Configuration 2 [-]

AND
cpe:2.3:o:digi:connectport_ts_8\/16_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:digi:connectport_ts_8\/16:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND
cpe:2.3:o:digi:passport_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:passport:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND
cpe:2.3:o:digi:connectport_lts_8\/16\/32_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:digi:connectport_lts_8\/16\/32:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND
cpe:2.3:o:digi:cm_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:cm:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND
cpe:2.3:o:digi:portserver_ts_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:portserver_ts:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND
cpe:2.3:o:digi:portserver_ts_mei_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:portserver_ts_mei:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND
cpe:2.3:o:digi:portserver_ts_mei_hardened_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:portserver_ts_mei_hardened:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND
cpe:2.3:o:digi:portserver_ts_m_mei_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:portserver_ts_m_mei:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND
cpe:2.3:o:digi:portserver_ts_p_mei_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:portserver_ts_p_mei:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND
cpe:2.3:o:digi:one_iap_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:one_iap:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND
cpe:2.3:o:digi:one_ia_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:one_ia:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND
cpe:2.3:o:digi:one_sp_ia_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:one_sp_ia:-:*:*:*:*:*:*:*

Configuration 14 [-]

AND
cpe:2.3:o:digi:one_sp_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:one_sp:-:*:*:*:*:*:*:*

Configuration 15 [-]

AND
cpe:2.3:o:digi:wr31_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:wr31:-:*:*:*:*:*:*:*

Configuration 16 [-]

AND
cpe:2.3:o:digi:transport_wr11_xt_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:transport_wr11_xt:-:*:*:*:*:*:*:*

Configuration 17 [-]

AND
cpe:2.3:o:digi:wr44_r_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:wr44_r:-:*:*:*:*:*:*:*

Configuration 18 [-]

AND
cpe:2.3:o:digi:wr21_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:wr21:-:*:*:*:*:*:*:*

Configuration 19 [-]

AND
cpe:2.3:o:digi:connect_es_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:digi:connect_es:-:*:*:*:*:*:*:*

Configuration 20 [-]

AND
cpe:2.3:o:digi:connect_sp_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:digi:connect_sp:-:*:*:*:*:*:*:*

No data.

No data.

Project Subscriptions

Vendors Products
Digi Subscribe
Cm Subscribe
Cm Firmware Subscribe
Connect Es Subscribe
Connect Es Firmware Subscribe
Connect Sp Subscribe
Connect Sp Firmware Subscribe
Connectport Lts 8\/16\/32 Subscribe
Connectport Lts 8\/16\/32 Firmware Subscribe
Connectport Ts 8\/16 Subscribe
Connectport Ts 8\/16 Firmware Subscribe
One Ia Subscribe
One Ia Firmware Subscribe
One Iap Subscribe
One Iap Firmware Subscribe
One Sp Subscribe
One Sp Firmware Subscribe
One Sp Ia Subscribe
One Sp Ia Firmware Subscribe
Passport Subscribe
Passport Firmware Subscribe
Portserver Ts Subscribe
Portserver Ts Firmware Subscribe
Portserver Ts M Mei Subscribe
Portserver Ts M Mei Firmware Subscribe
Portserver Ts Mei Subscribe
Portserver Ts Mei Firmware Subscribe
Portserver Ts Mei Hardened Subscribe
Portserver Ts Mei Hardened Firmware Subscribe
Portserver Ts P Mei Subscribe
Portserver Ts P Mei Firmware Subscribe
Realport Subscribe
Transport Wr11 Xt Subscribe
Transport Wr11 Xt Firmware Subscribe
Wr21 Subscribe
Wr21 Firmware Subscribe
Wr31 Subscribe
Wr31 Firmware Subscribe
Wr44 R Subscribe
Wr44 R Firmware Subscribe
Advisories
Source ID Title
EUVD EUVD EUVD-2023-54170 Digi RealPort Protocol is vulnerable to a replay attack that may allow an attacker to bypass authentication to access connected equipment.
Fixes

Solution

Digi International recommends users acquire and install patches that they have made available for the following products: * ​RealPort software for Windows: Fixed in 4.10.490 * ​Digi ConnectPort TS 8/16: Fixed in firmware version 2.26.2.4 * ​Digi ConnectPort LTS 8/16/32: Fixed in version 1.4.9 * ​Digi Connect ES: Fixed in firmware version 2.26.2.4 ​For more information, see the customer notification document https://www.digi.com/getattachment/resources/security/alerts/realport-cves/Dragos-Disclosure-Statement.pdf  published by Digi International.

Workaround

Dragos recommends restricting access to Digi devices on TCP/771 (default) or TCP/1027 (if encryption is enabled, this is the default port). Only allow the workstations which initiate RealPort connections to communicate to the field equipment on those ports. Note that most of Digi's devices allow you to change the setting for which TCP port the RealPort service runs on, so end users should consult their device configuration and restrict access to the configured port if it is not the default. ​If using the system in 'reverse' mode, where the Digi device calls back to the Windows or Linux workstation, then Dragos recommends restricting access to the workstation on TCP/771 or TCP/1027 to known Digi RealPort devices on your network. This port may be configured by end users, so consult the workstation and device configurations to ensure coverage.

References
Link Providers
https://www.cisa.gov/news-events/ics-advisories/icsa-23-243-04 cve-icon cve-icon
https://www.digi.com/getattachment/resources/security/alerts/realport-cves/Dragos-Disclosure-Statement.pdf cve-icon cve-icon
History

Thu, 16 Jan 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2025-01-16T21:30:37.810Z

Reserved: 2023-08-10T20:14:27.489Z

Link: CVE-2023-4299

cve-icon Vulnrichment

Updated: 2024-08-02T07:24:04.616Z

cve-icon NVD

Status : Modified

Published: 2023-08-31T21:15:09.183

Modified: 2024-11-21T08:34:48.760

Link: CVE-2023-4299

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses