Tridium Mitigates Vulnerability

There is now a patch available to fix a directory traversal vulnerability in the Tridium NiagaraAX software, according to a report on ICS-CERT.

With a valid user account or guest privileges enabled, security researchers Billy Rios and Terry McCorkle found remotely exploitable privilege escalation is possible on a NiagaraAX system. Exploitation of this vulnerability could allow loss of availability, integrity, and confidentiality of the system.

RELATED STORIES
SAS: Zero Day Lives On
FBI: Backdoor Free for Hackers
Tridium Patches Software Bugs
DDoS Attacks Steady; Others on Rise

All versions of Tridium NiagaraAX suffers from the issue.
A loss of integrity, data, and possibly physical damage can result if the software sees use in controlling a physical process. Another consequence might be the compromise of facility security where NiagaraAX works for facility access control and administration.

Tridium is a U.S-based company that maintains offices in several countries around the world, including the U.S., UK, Singapore, and China. Tridium also deploys systems to Latin America.

NiagaraAX is a general framework that can integrate and manage diverse industrial control system components, e.g., HVAC, building automation controls, and facility management that can a user can control over the Internet from a Web browser. Tridium said more than 350,000 instances of the NiagaraAX Framework are in play worldwide.

Tridium estimates these products work mainly in the commercial facilities (88 percent), energy (5 percent), education (5 percent), and government facilities and other sectors (2 percent).

If an installed NiagaraAX has its Web interface accessible from the Internet, and the user has valid user credentials, or if the system’s guest user function is working, the application could end up subverted to escalate the user’s credentials and gain control of the system. The attacker could read the contents of unexpected files, expose sensitive data, execute arbitrary code, and affect the availability by sending a specially crafted packet to the Web server on Port 80/TCP.

CVE-2012-4701 is the number assigned to this vulnerability, which has a CVSS v2 base score of 8.5.

No known public exploits specifically target this vulnerability. An attacker with medium skill may be able to exploit this vulnerability.

Tridium has developed patches for all current versions (Versions 3.5, 3.6, and 3.7) of the NiagaraAX software. Links to the patches, along with instructions on their use are available on the Tridium Security Update Web page.

For users of older versions of NiagaraAX software (prior to Version 3.5), Tridium said users should either upgrade to the newest version or take careful measures to isolate access to the Web interface from the Internet.

1. ffgordy says:

   February 19, 2013 at 2:47 pm

   A lot attention has been given to Niagara AX and the vulnerabilities but what seems to be overlooked time and again is that there are some very simple security measures that are not being used. The articles a few months ago that sighted an HVAC Niagara AX system that was hacked either didn’t mention the fact or skirted by the fact that the Niagara AX system was completely exposed to the Internet using a public IP. This is not a vendor issue. Plainly stated this is poor installation and bad security practices by a system integrator. This is not to say that vendors should be let off the hook but system integrators have to step up and do their part.

   I changed my career path and moved from IT to control system intergration in 2001. At that time control systems were just beginning to be connected to the web. In most cases the systems were setup either on the LAN of a company or a closed network that only had control system equipment on it with no remote access. The general onsensus was either nobody would want to hack a control system or because of the network protocols such as Modbus, Bacnet, or LON, nobody would be able to figure out how to “talk” to the system.

   Buildings came online and people saw the benefit of being able to access their buildings remotely. System integrators had to learn how to set up systems to be accessed via the web and in most cases the minimal amount if any was applied to the
   system. This is not an indictment of system integrators. We did what we had to do to meet customer expectations. What we didn’t do was take a hard look at where control systems could go and what steps to protect the systems were needed.

   Why are control systems under attack? As a system integrator I can see the attraction. I enjoy seeing buildings, data-centers, etc. come to life. This stuff does stuff. Meaning it is fun to some hackers to see what they can do. Turn off lights, turn something off that is on, turn something on that is off. Of course the other hacker type wants to do real damage. Shut down a power grid, stop water flow, kill systems, etc.

   At the very least any control system, not just Niagara AX, needs to be behind a firewall and if it needs to be accessed remotely use a credentialed, encrypted client. This is basic, common practice of any IT solution. You do not pull a server out of the box, rack it, and hang it out on the web. You follow security measures to keep it as safe as possible. Microsoft is not to blame if you do not take basic security measures.

   I have worked with Terry McCorkle evaluating our system. Terry and his team are very knowledgable and professional and calls it as he sees it which I appreciate. The “firestorm” of criticism that Niagara AX and other control systems have gotten are not the result of Terry McCorkle and Billy Rios studies/evaluations. It is being propagated by not focusing on the whole picture and focusing mainly on the vendor because this makes good copy. Responsibility falls on us, system integrators, as well.

   I am all for testing vendor software for vulnerabilities but what needs to happen is that when vulnerabilities are identified we, system integrators, need to do our part to “plug” up the holes. We need to work with the vendors and IT. We need to expand our skill set to include IT security practices.

   Fred Gordy
   Technology Evangelist
   fred.gordy@mckenneys.com