Tridium Niagara Security Update

Tuesday, August 13, 2013 @ 01:08 PM gHale

In addition to the security updates released by Tridium in August, 2012 and February, 2013 to address the issues in the multiple vulnerabilities in the Tridium Niagara AX Framework software, Tridium now issued a product update that further enhances the security of the Niagara AX Framework, according to a report on ICS-CERT.

Over a year ago, independent security researchers Billy Rios and Terry McCorkle identified multiple vulnerabilities in the Tridium Niagara AX Framework software. The vulnerabilities included directory traversal, weak credential storage, session cookie weaknesses, and predictable session IDs, all of which can suffer exploitation remotely.

SEL Fixes Improper Input Validation
Det-Tronics Gas Leak Detector Certified
Moore Gains Safety Certification
New CFSE Endorsement Program

At the time, Tridium issued a security alert and produced a patch that Rios and McCorkle validated fixes these vulnerabilities. But, as mentioned, Tridium issued a further product update.

All known versions of the Tridium Niagara AX Framework software products are susceptible to these vulnerabilities.

Successfully exploiting these vulnerabilities will lead to data leakage and possible privilege escalation.

The Tridium Niagara AX software platform integrates different systems and devices, e.g., HVAC, building automation controls, telecommunications, security automation, machine to machine, lighting control, maintenance repair operations, service bureaus, and facilities management, onto a single platform that a user can manage and control over the Internet from a Web browser.

Tridium sells its products and services through multiple distribution channels, which include OEMs/resellers, independent systems integrators, and energy service companies. Tridium said more than 300,000 instances of Niagara AX Framework are in use worldwide.

By default, the Tridium Niagara AX software does not have configuration to deny access to restricted parent directories. This vulnerability allows a successful attacker to access the file that stores all system usernames and passwords. An attacker could exploit this vulnerability by sending a specially crafted request to the Web server running on Port 80/TCP.

CVE-2012-4027 is the number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.

In addition, the system insecurely stores user authentication credentials, which are susceptible to interception and retrieval. User authentication credentials end up stored in the Niagara station configuration file, config.bog, which is in the root of the station folder.

CVE-2012-4028 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.

Usernames and passwords end up stored using Base64 encoding in a cookie within the default authentication configuration. This significantly lowers the difficulty of exploitation by an attacker. The user must take additional steps to configure stronger authentication.

CVE-2012-3025 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.

The software generates a predictable session ID or key value, allowing an attacker to guess the session ID or key.

CVE-2012-3024 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.

Exploits that target some of these vulnerabilities are publicly available, although not all technical details are public. An attacker with a medium skill could exploit these vulnerabilities.

To mitigate the decoding of passwords listed in the config.bog file, Tridium recommends security settings for file access be at the administrator level only. Instructions for configuring these settings are in the July 13 Security Alert from Tridium. In addition, Tridium issued a patch that prevents access to the config.bog file and backups of the file from network facing clients. Click here for the patch.

Leave a Reply

You must be logged in to post a comment.