CVE-2021-35978 – This critical vulnerability in Digi TransPort d... (How to Fix)

Q: What is the severity of CVE-2021-35978?

CVE-2021-35978 has a CVSS score of 9.8 (CRITICAL). This critical vulnerability in Digi TransPort devices allows remote attackers with knowledge of the ZING protocol to execute arbitrary commands with SUPER privileges. Affected devices include DR64, SR44, VC74, and WR series controllers. Attackers can overwrite firmware, modify users, disable firewalls, and gain complete control of affected systems.

📋 TL;DR

This critical vulnerability in Digi TransPort devices allows remote attackers with knowledge of the ZING protocol to execute arbitrary commands with SUPER privileges. Affected devices include DR64, SR44, VC74, and WR series controllers. Attackers can overwrite firmware, modify users, disable firewalls, and gain complete control of affected systems.

💻 Affected Systems

Products:

Digi TransPort DR64
Digi TransPort SR44
Digi TransPort VC74
Digi TransPort WR

Versions: All versions prior to patched firmware

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Devices with ZING protocol enabled are vulnerable. This protocol may be enabled by default in some configurations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing firmware replacement, permanent backdoor installation, data exfiltration, and use as pivot point into internal networks.

🟠

Likely Case

Unauthorized access leading to configuration changes, user account manipulation, and potential ransomware deployment on industrial control systems.

🟢

If Mitigated

Limited impact if devices are behind strict network segmentation with no internet exposure and ZING protocol disabled.

🌐 Internet-Facing: HIGH - Directly exploitable over network with no authentication required.

🏢 Internal Only: HIGH - Even internally, any network access to affected devices enables complete compromise.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires knowledge of ZING protocol but no authentication. Public disclosure includes technical details enabling exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Digi firmware updates for specific version

Vendor Advisory: https://digi.com

Restart Required: Yes

Instructions:

1. Check Digi support portal for latest firmware. 2. Backup current configuration. 3. Apply firmware update via web interface or console. 4. Verify ZING protocol is disabled if not needed. 5. Restart device.

🔧 Temporary Workarounds

Disable ZING Protocol

all

Disable the vulnerable ZING protocol if not required for operations

Configuration varies by device - disable via web interface or CLI

Network Segmentation

all

Isolate affected devices from untrusted networks

Implement firewall rules blocking port 2362/tcp (ZING default)

🧯 If You Can't Patch

Implement strict network access controls allowing only trusted IPs to communicate with affected devices
Monitor network traffic for ZING protocol usage and investigate any unexpected connections

🔍 How to Verify

Check if Vulnerable:

Check if ZING protocol is enabled in device configuration and if firmware version is unpatched

Check Version:

Check via web interface or console: show version

Verify Fix Applied:

Verify firmware version is updated to latest and ZING protocol is disabled

📡 Detection & Monitoring

Log Indicators:

Unexpected ZING protocol connections
Configuration changes without authorization
New user account creation

Network Indicators:

Traffic on port 2362/tcp (ZING default)
Unusual outbound connections from device

SIEM Query:

source_port:2362 OR protocol:"ZING" OR device_type:"Digi TransPort" AND (event_type:"config_change" OR event_type:"user_added")

📊 Metadata

CVE ID: CVE-2021-35978

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: December 10, 2021

Last Updated: November 21, 2024

🔗 References

https://digi.com Vendor Advisory
https://raw.githubusercontent.com/reidmefirst/vuln-disclosure/main/2021-04.txt Third Party Advisory
https://digi.com Vendor Advisory
https://raw.githubusercontent.com/reidmefirst/vuln-disclosure/main/2021-04.txt Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-35978, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Transport Dr64 Firmware by Digi

Transport Sr44 Firmware by Digi

Transport Vc74 Firmware by Digi

Transport Wr11 Firmware by Digi

Transport Wr11 Xt Firmware by Digi

Transport Wr21 Firmware by Digi

Transport Wr31 Firmware by Digi

Transport Wr41 Firmware by Digi

Transport Wr41 Firmware by Digi

Transport Wr41 Firmware by Digi

Transport Wr44 Firmware by Digi

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable ZING Protocol

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities