Main Vulnerability Database SB2023090414

SB2023090414 - Use of Password Hash Instead of Password for Authentication in Digi RealPort Protocol

Published: September 4, 2023

Security Bulletin ID SB2023090414

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Use of Password Hash Instead of Password for Authentication (CVE-ID: CVE-2023-4299)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to use of password hash instead of password for authentication in Digi RealPort Protocol. A remote attacker can perform a replay attack and bypass authentication to access connected equipment.

Remediation

Install update from vendor's website.

References

Vulnerable Software

Digi RealPort for Windows: 4.8.488.0 and previous versions
Digi RealPort for Linux: 1.9-40 and previous versions
Digi Passport Console Server: All versions
Digi CM Console Server: All versions
Digi PortServer TS: All versions
Digi PortServer TS MEI: All versions
Digi PortServer TS MEI Hardened: All versions
Digi PortServer TS M MEI: All versions
Digi PortServer TS P MEI: All versions
Digi One IAP Family: All versions
Digi One IA: All versions
Digi One SP IA: All versions
Digi One SP: All versions
Digi WR31: All versions
Digi WR11 XT: All versions
Digi WR44 R: All versions
Digi WR21: All versions
Digi Connect SP: All versions
Digi ConnectPort TS 8/16: before 2.26.2.4
Digi ConnectPort LTS 8/16/32: before 1.4.9
Digi Connect ES: before 2.26.2.4