CVE-2021-38412
📋 TL;DR
This vulnerability allows unauthenticated attackers to send specially crafted POST requests to Digi PortServer TS 16 Rack devices, enabling SNMP service and manipulating community strings without authentication. This affects organizations using these industrial control system devices for serial port connectivity. Attackers could gain administrative control over the device.
💻 Affected Systems
- Digi PortServer TS 16 Rack
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing attackers to reconfigure network settings, intercept serial communications, disable security features, and use the device as a pivot point into industrial control networks.
Likely Case
Attackers enable SNMP with known community strings, gain read/write access to device configuration, potentially disrupting serial communications and exposing connected industrial equipment.
If Mitigated
With proper network segmentation and access controls, impact is limited to the isolated device without affecting critical industrial processes.
🎯 Exploit Status
Simple HTTP POST requests can trigger the vulnerability. No special tools or advanced skills required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.6
Vendor Advisory: https://www.digi.com/support/product-advisories/digi-portserver-ts-authentication-bypass-vulnerability
Restart Required: Yes
Instructions:
1. Download firmware version 1.7.6 from Digi support portal. 2. Log into device web interface. 3. Navigate to System > Firmware Update. 4. Upload the firmware file. 5. Apply update and restart device.
🔧 Temporary Workarounds
Network Segmentation
allIsolate Digi PortServer devices from untrusted networks and internet access
Access Control Lists
allImplement firewall rules to restrict HTTP/HTTPS access to trusted management IPs only
🧯 If You Can't Patch
- Disable HTTP/HTTPS web interface if not required for operations
- Implement strict network segmentation with firewall rules blocking all external access
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface or serial console. Versions below 1.7.6 are vulnerable.Check Version:
Serial console command: 'show version' or web interface at System > StatusVerify Fix Applied:
Verify firmware version shows 1.7.6 or higher in System > Status page📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /cgi-bin/ endpoints without authentication
- SNMP service activation logs from unauthenticated sources
Network Indicators:
- HTTP POST requests to device IP on ports 80/443 from unauthorized sources
- SNMP traffic from previously disabled service
SIEM Query:
source_ip=* AND dest_ip=[device_ip] AND (http_method=POST AND uri_path="/cgi-bin/*") AND NOT user_agent="Digi*"