U.S. Industrial Control Systems Computer Emergency Response Team – (International) ICS-Alert-12-195-01—Tridium Niagara directory traversal and weak credential storage vulnerability. Two independent security researchers notified the Industrial Control Systems Computer Emergency Response Team (ICS-CERT) of a directory traversal and weak credential storage vulnerability with proof-of-concept exploit code for Tridium Niagara AX Framework software. According to their research, the vulnerabilities are exploitable by downloading and decrypting the file containing the user credentials from the server. ICS-CERT is coordinating with the researchers and Tridium. Original attempts to coordinate vulnerability information were unsuccessful and ICS-CERT, in coordination with the researchers, was planning a release of the vulnerability data. However, recent communications from Tridium indicated they were working on a solution, resulting in the delayed release of this Alert so mitigations/patches could be prepared. July 12, a public report came out detailing the vulnerabilities and as a result, ICS-CERT shortened its release schedule and issued this Alert to warn of the unpatched vulnerabilities. Tridium released a security alert with instructions on how to implement interim mitigations. Tridium stated they are testing a software update that will resolve the vulnerabilities. ICS-CERT will issue an Advisory when the software update is available. According to the Tridium Web site, more than 300,000 instances of Niagara AX Framework are installed worldwide in applications that include energy management, building automation, telecommunications, security automation, machine to machine, lighting control, maintenance repair operations, service bureaus, and total facilities management.
Ali Loney, on July 13, 2012