Digi International has an upgrade available to mitigate unrestricted upload of file with dangerous type and cross-site scripting vulnerabilities in its ConnectPort LTS 32 MEI, according to a report with CISA.
Successful exploitation of these remotely exploitable vulnerabilities could limit system availability. Murat Aydemir, Critical Infrastructure Penetration Test Specialist at Biznet Bilisim A.S., and Fatih Kayran, Penetration Test Specialist at Biznet Bilisim A.S., discovered these vulnerabilities.
The following versions of ConnectPort LTS 32 MEI, which provides serial over Ethernet connectivity, suffer from the issues: ConnectPort LTS 32 MEI: firmware Version 1.4.3 (82002228_K 08/09/2018), bios Version 1.2.
In one issue, successful exploitation of this vulnerability could allow an attacker to upload a malicious file to the application.
CVE-2020-6975 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 2.4.
In addition, multiple cross-site scripting vulnerabilities exist that could allow an attacker to cause a denial-of-service condition.
CVE-2020-6973 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 2.4.
The product sees use in the commercial facilities, critical manufacturing, food and agriculture, healthcare and public health, and transportation systems sectors. It also sees action on a global basis.
No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.
Digi recommends users upgrade to the mandatory release of ConnectPort LTS Version 1.4.5, released on November 8 last year.
Digi International recommends the following best practices:
1. Device firmware
2. Modem firmware
If you prefer manually updating one device at a time, follow these steps from the manual: Firmware update process.
Contact the Digi Technical Support team to find out more on this release.