First published: Fri Oct 08 2021(Updated: )
In Digi RealPort through 4.10.490, authentication relies on a challenge-response mechanism that gives access to the server password, making the protection ineffective. An attacker may send an unauthenticated request to the server. The server will reply with a weakly-hashed version of the server's access password. The attacker may then crack this hash offline in order to successfully login to the server.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Digi Realport | <=1.9-40 | |
Digi Realport | <=4.10.490 | |
Digi Connectport Ts 8\/16 Firmware | ||
Digi Connectport Ts 8\/16 | ||
Digi Connectport Lts 8\/16\/32 Firmware | ||
Digi Connectport Lts 8\/16\/32 | ||
Digi Passport Integrated Console Server Firmware | ||
Digi Passport Integrated Console Server | ||
Digi Cm Firmware | ||
Digi Cm | ||
Digi Portserver Ts Firmware | ||
Digi Portserver Ts | ||
Digi Portserver Ts Mei Firmware | ||
Digi Portserver Ts Mei | ||
Digi Portserver Ts Mei Hardened Firmware | ||
Digi Portserver Ts Mei Hardened | ||
Digi Portserver Ts M Mei Firmware | ||
Digi Portserver Ts M Mei | ||
Digi 6350-sr Firmware | ||
Digi 6350-sr | ||
Digi Portserver Ts P Mei Firmware | ||
Digi Portserver Ts P Mei | ||
Digi Transport Wr11 Xt Firmware | ||
Digi Transport Wr11 Xt | ||
Digi One Ia Firmware | ||
Digi One Ia | ||
Digi Wr31 Firmware | ||
Digi Wr31 | ||
Digi Wr44 R Firmware | ||
Digi Wr44 R | ||
Digi Connect Es Firmware | ||
Digi Connect Es | ||
Digi Wr21 Firmware | ||
Digi Wr21 | ||
Digi One Iap Firmware | ||
Digi One Iap | ||
Digi One Iap Haz Firmware | ||
Digi One Iap Haz |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The CVE ID of this vulnerability is CVE-2021-36767.
The severity of CVE-2021-36767 is critical with a CVSS score of 9.8.
Digi RealPort versions up to 4.10.490 on Linux and Windows are affected by CVE-2021-36767.
Authentication in Digi RealPort through 4.10.490 relies on a challenge-response mechanism.
An attacker can send an unauthenticated request to the server to exploit CVE-2021-36767.