DOM Customer Portal / Security / Improper Validation of Certificate in DX/DAL client

Improper Validation of Certificate in DX/DAL client (DOM-23-002)


Summary

The DX client for DAL was found to have an insecure initialization of SSLContext in websocket connections, resulting in clients not verifying the server name against the certificate presented by the server.

DAL routers enrolled against default installations of Digi On-Prem Manager are not vulnerable as they only trust the server local CA.

However, configurations using public or custom PKI are vulnerable to machine-in-the-middle attacks against TLS connections between DX clients and the server.

Remediation

Customers should update to v23.9 of Digi On-Prem Manager, and update their DAL routers to run dx-v4.10 or later.

The DX client for SarOS is not affected.

Affected Versions

  • Versions before v4.10 of DAL/DX which are included in Digi On-Prem Manager v23.6 and earlier

Advisory Details

Severity

8.1 High

Discovered

Sep 5, 2023

Published

Oct 13, 2023

CVSS Score

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H