Objective
This policy is intended to describe Digi’s standards for responding to known potential security vulnerabilities in Digi products that integrate Digi Embedded Yocto (DEY). It defines Digi’s targets for communicating potential vulnerabilities and delivering resolutions to customers.
Scope
Any software can potentially present vulnerabilities or weaknesses that can be exploited by a cybercriminal to deliver a successful attack. A system software image of a device includes different software components.
- Digi developed software packages such as the Digi ConnectCore® board support package (BSP) and Digi Embedded Yocto software extensions are maintained and owned by Digi.
- Open-source upstream packages from the Linux community used to create final customer specific images are maintained and owned by the Linux community and customers.
- Customer application software is maintained and owned by customers.
Beyond Digi owned software maintenance, Digi provides services to support maintenance of community/customer owned software packages, such as Digi ConnectCore Security Services and Digi Wireless Design Services.
Digi ConnectCore Security Services analyze system software running on ConnectCore system-on-module (SOM) based devices for security risks and vulnerabilities and help remediate issues. Digi ConnectCore Security Services are a collection of services and tools that enable customers to maintain the security of their ConnectCore SOM based devices during their entire lifecycle. This empowers customers to solve the ongoing challenge of keeping products secure after release.
The services include the analysis and monitoring of a custom software bill of materials (SBOM) and binary image running on Digi ConnectCore SOMs for security risks and vulnerabilities. To help remediate identified issues, the services provide a curated vulnerability report highlighting critical issues, a security software layer including patches for common vulnerabilities, and consulting services.
Digi Wireless Design Services provide technical support from Digi for software development and security maintenance support. Digi provides support as directed and prioritized by customers based on an agreed number of hours per month, included in the service agreement.
This policy specifically covers security vulnerabilities in released and supported products running DEY images. We define a security vulnerability as an unintentional weakness or flaw within hardware, firmware or software that has the potential to be exploited by a threat agent in order to compromise a customer’s device. These include, but are not limited to, any methods that intentionally or unintentionally provide unauthorized access methods, permissions, or information.
This policy does not cover general support and resolution process for non-security related defects. For further information on general support policies, please visit Digi Support Services.
Audience
This policy is for the use of Digi customers and distributors.
Introduction
The Yocto Project™ is an open source collaboration project that provides templates, tools, and methods to help you create custom Linux-based systems for embedded products regardless of the hardware architecture. It is a complete embedded Linux distribution builder with tools, metadata, and documentation.
With the Yocto Project, customers can compile thousands of packages to create their custom Linux images and add community open-source applications to their devices. It builds the three main components of an embedded Linux product:
- The bootloader
- The Linux kernel
- The user space or root file system
Digi Embedded Yocto is an open source and freely available Yocto Project-based embedded Linux distribution. It is the reference distribution for the Digi ConnectCore ecosystem of embedded system-on-modules (SOMs) and single board computers (SBCs), and it is based on Poky, the Yocto Project's reference distribution. It includes customizations for Digi hardware as well as out-of-the-box software extensions not part of the standard Yocto Project that help products get to market faster.
The following Digi ConnectCore platforms are supported:
- Digi ConnectCore 91
- Digi ConnectCore MP25
- Digi ConnectCore 93
- Digi ConnectCore MP13
- Digi ConnectCore MP15
- Digi ConnectCore 8M Mini
- Digi ConnectCore 8M Nano
- Digi ConnectCore 6+
- Digi ConnectCore 8X
- Digi ConnectCore 6UL
- Digi ConnectCore 6/6N
Digi welcomes the transparent reporting of vulnerabilities and is committed to resolving them in a timely manner. In addition to reporting by users, Digi actively searches for vulnerabilities through internal testing, static code analysis, independent penetration testing and assessing upcoming common vulnerabilities and exposures (CVEs). These may be introduced through an error in design or development or (more commonly) through a vulnerability being discovered in a third-party library integrated into DEY-based product's firmware or software. The vulnerabilities may be discovered through firmware or software testing, reported publicly as common vulnerabilities and exposures, or discovered by an independent security assessment, a customer, or another party.
Digi’s policy is to quickly assess the impact of any reported vulnerabilities. Once the vulnerability is assessed according to the Common Vulnerability Scoring System (CVSS 4.0), details of the vulnerability, its impacts and timelines for resolution will be made publicly available to customers and distributors.
Reporting Potential Vulnerabilities
Customers or distributors that are experiencing security issues with DEY products are encouraged to report the issue as soon as practicable through the Digi security form. When reporting a potential vulnerability, please include as much information as possible (including CVE number if available) about the circumstances and the potential impact.
Assessing Potential Vulnerabilities
Digi uses the Common Vulnerability Scoring System (CVSS 4.0) in combination with the severity rating to evaluate newly reported potential vulnerabilities. The determined CVSS score reflects the potential security threat of the vulnerability within the context of Digi product design. Digi’s security and engineering team reserves the right to internally re-classify the CVSS score to determine the likelihood of impact to our products based on implementation. Digi customers can make queries about CVE assessments. To do so, write a vector string using CVSS 4.0 of the Digi determined score and submit the request to Digi support.
Information and Resolution Timelines
These resolution timelines are for Digi developed software packages such as the Digi ConnectCore board support package (bootloader, Linux kernel modifications) and Digi Embedded Yocto software extensions that are maintained and owned by Digi.
The CVSS 4.0 score is used to prioritize and set targets for communication and resolution as follows:
Severity |
CVSS 4.0 |
Resolution Target |
Fix Information |
Critical |
9.0–10.0 |
Fixes will be pushed to the public GitHub repository as fast as possible, with a resolution target of 4 weeks. |
Information will be posted in the GitHub repository and Security Advisory. |
High |
7.0–8.9 |
Fixes will be pushed to the public GitHub repository as fast as possible with a resolution target of 8 weeks. |
Information will be posted in the GitHub repository. |
Medium |
4.0–6.9 |
Next major release |
See the release notes in the corresponding DEY distribution. |
Minor |
N/A |
Future release |
See the release notes in the corresponding DEY distribution. |
No Vulnerability |
N/A |
N/A |
N/A |
Digi usually pushes fixes for “critical” or “high” severity vulnerabilities to the DEY public repositories prior to any upcoming release of any actively supported DEY version, and upon completion of implementation and testing. In that case, for a fix to be effective, updating to a higher DEY version is mandatory due to dependencies.
Resolution of Potential Vulnerabilities
Digi takes security vulnerabilities seriously and endeavors to make resolution available to customers and partners in line with resolution targets for all products currently in support. To verify which products are no longer supported, please visit the Digi customer portal for a list of product change notifications (PCN) and end of life (EOL) announcements.
All software resolutions are delivered through our standard release channels, which is through the DEY public repositories at Digi International Inc. - Embedded. Security-related software resolutions are made available to all customers regardless of warranty status.
Receiving Information on Potential Vulnerabilities
Customers and partners can subscribe to Digi Security Center alerts and notifications to receive information on potential vulnerabilities that are in process of being assessed or resolved.
Any parties subscribed to Digi Security Center will receive security advisories on some critical and high severities that will provide detailed information about vulnerabilities. They will also receive updates on all issues they have reported regardless of type through our security vulnerability submission portal or technical support portal.
Last updated: August 2024