SAS: Zero Day Lives On

Tuesday, February 5, 2013 @ 02:02 PM gHale


By Gregory Hale
Tridium Niagara is dealing with an unpatched Zero Day that two security researchers found and demonstrated live at the Kaspersky Security Analyst Summit (SAS) Tuesday.

While a patch is imminent, the researchers, Billy Rios and Terry McCorkle of Cylance, did not go into the technical details of the flaw, other than to say they were able to get root access to the device. The key, they said at the SAS in Puerto Rico, was gaining a way to access the file that contains configuration files for the device. After that, the researchers, who between them have reported over 1000 vulnerabilities to vendors, were able to get into the framework’s station, which is the interface administrators interact with to manage whatever the device is running. From there, they were able to leverage a privilege escalation bug in order to get access to the platform level of the device stack which runs on Java.

RELATED STORIES
SAS: Learn from your Attackers
SAS: Keeping an Eye on Mobile Devices
DDoS Attacks Steady; Others on Rise
Users a Top Security Threat

Tridium Niagara Framework sees use in running building maintenance systems including access control, video, intrusion, elevator control, lighting, HVAC, and energy.

“A platform written in Java – and we can get through Java –we own everything,” Rios said. “Once you own the platform, you own everything. Once you own the platform, it is game over.”

The researchers conducted a little research project on just how many Tridium Niagara devices were out there connected to the Internet. After a quick Shodan search, there were able to find over 21,000 devices facing the Internet, McCorkle said. That means these devices if not properly protected – which most, if not all, are not – they would be vulnerable to attack.

They found in part of the company literature the devices work connected to the Internet. “They are designed to connect control systems and building systems to the Internet,” McCorkle said.

While they were not entirely sure what devices were running where from their Shodan search, to narrow the possibilities they were able to look up case studies on the web site and they could narrow down where the devices were. They could also find out what these devices were controlling.

“We found hospitals, banks buildings on the Internet,” McCorkle said.

The next question is what should users do if they are running Tridium Niagara today?

“Take it off the Internet and make sure it’s protected, and monitor that traffic,” McCorkle said. “Finding these is trivial. You can do privilege escalation on them and elevate to local admin on the LAN and pivot from there.”

“We are not the only ones doing this,” Rios said. “There are people not standing on a stage talking about this. People have to realize we are not living in the stone age. There are people out there that want to exploit these devices.”

In many ways, the researchers found these very same issues back in the 90s in the IT environment.

“We are jumping back in time to the early days of Windows,” McCorkle said. “This isn’t a new problem. We are just trying to shed some light on the situation.”



Leave a Reply

You must be logged in to post a comment.