Tridium Patches Software Bugs

Monday, August 20, 2012 @ 03:08 PM gHale

Tridium released a patch to fix the multiple vulnerabilities in its Niagara AX Framework software, which includes directory traversal, weak credential storage, session cookie weaknesses, and predictable session IDs, all of which are remotely exploitable, according to a report on ICS-CERT.

Although not all technical details are available, independent security researchers Billy Rios and Terry McCorkle made these vulnerabilities public. Rios and McCorkle validated the patch fixes these vulnerabilities.

Siemens Patches Database Hole
SpecView Hole in SCADA/HMI line
Siemens Default Password Hole
Software Providers Suffer Vulnerabilities

All known versions of the Tridium Niagara AX Framework software products are susceptible to these vulnerabilities. Successfully exploiting these vulnerabilities will lead to data leakage and possible privilege escalation.

The Tridium Niagara AX software platform integrates different systems and devices like HVAC, building automation controls, telecommunications, security automation, machine–to-machine (M2M), lighting control, maintenance repair operations (MRO), service bureaus, and facilities management, onto a single platform a user can manage and control over the Internet from a Web browser.

Tridium sells its products and services through multiple distribution channels, which include OEMs/resellers, independent systems integrators, and energy service companies. There are more than 300,000 instances of Niagara AX Framework installed worldwide, Tridium said.

By default, the Tridium Niagara AX software does not deny access to restricted parent directories. This vulnerability allows a successful attacker to access the file that stores all system usernames and passwords. An attacker could exploit this vulnerability by sending a specially crafted request to the Web server running on Port 80/TCP.

CVE-2012-4027 is the number assigned to this vulnerability, which has a CVSS v2 base score of 5.0

The system insecurely stores user authentication credentials, which are susceptible to interception and retrieval. User authentication credentials store in the Niagara station configuration file, config.bog, located in the root of the station folder.

CVE-2012-4028 is the number assigned to this vulnerability, which has a CVSS v2 base score of 6.5

Usernames and passwords store using Base64 encoding in a cookie within the default authentication configuration. This significantly lowers the difficulty of exploitation by an attacker. The user must take additional steps to configure stronger authentication.

CVE-2012-3025 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.

The software generates a predictable session ID or key value, allowing an attacker to guess the session ID or key.

CVE-2012-3024 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.

Exploits that target some of these vulnerabilities are publicly available, although not all technical details are available. An attacker with a medium skill could exploit these vulnerabilities.

To mitigate the decoding of passwords listed in the config.bog file, Tridium recommends security settings for file access only go out at the administrator level. Instructions for configuring these settings are in the July 13 Security Alert from Tridium. In addition, Tridium issued a patch that prevents access to the config.bog file and backups of the file from network facing clients.

Leave a Reply

You must be logged in to post a comment.