ICS Alert

Tridium Niagara Vulnerabilities

Last Revised
Alert Code
ICS-ALERT-12-195-01

Description

This alert describes a directory traversal and weak credential storage vulnerability with proof-of-concept (PoC) exploit code for Tridium Niagara AX Framework software.
table.gridtable {
font-family: verdana,arial,sans-serif;
font-size:11px;
color:#333333;
border-width: 1px;
border-color: #666666;
border-collapse: collapse;
}
table.gridtable th {
border-width: 1px;
padding: 8px;
border-style: solid;
border-color: #666666;
background-color: #dedede;
}
table.gridtable td {
border-width: 1px;
padding: 8px;
border-style: solid;
border-color: #666666;
background-color: #ffffff;
}

Summary

Independent security researchers Billy Rios and Terry McCorkle notified ICS-CERT of a directory traversal and weak credential storage vulnerability with proof-of-concept (PoC) exploit code for Tridium Niagara AX Framework software. According to their research, the vulnerabilities are exploitable by downloading and decrypting the file containing the user credentials from the server.

ICS-CERT has been in coordination with Mr. Rios, Mr. McCorkle and Tridium. Original attempts to coordinate vulnerability information were unsuccessful and ICS-CERT, in coordination with the researchers, was planning a release of the vulnerability information. However, recent communications from Tridium indicated they were working on a solution, resulting in the delayed release of this Alert so that mitigations/patches could be prepared. Yesterday, a public report was published detailing the vulnerabilities and as a result, ICS-CERT has shortened its release schedule and is issuing this Alert to warn the community of the unpatched vulnerabilities.

Tridium has released a security alert with instructions on how to implement interim mitigations. Tridium has stated that they are testing a software update that will resolve these vulnerabilities.

ICS-CERT will issue an Advisory when the software update is available.

Mr. RiosBilly Rios Blog, http://xs-sniper.com/blog/ Web site last accessed July 13, 2012 and Mr. McCorkle’s research includes vulnerability details for the following vulnerabilities:

Vulnerability Type Remotely
Exploitable
Impact
Directory traversal Yes Data leakage
Weak credential storage Yes Privilege escalation

Background

Tridium Niagara is a software platform that integrates various different systems and devices and allows them to be managed via the Internet.

Tridium sells its products and services through multiple distribution channels, which include OEMs/resellers, independent systems integrators, and energy service companies. According to the Tridium Web site, over 300,000 instances of Niagara AX Framework are installed worldwide in applications that include energy management, building automation, telecommunications, security automation, machine to machine (M2M), lighting control, maintenance repair operations (MRO), service bureaus and total facilities management.Tridium Niagara, http://www.tridium.com/cs/corporate info/faqs, Web site last accessed June 25, 2012.

Mitigation

Tridium recommends the following mitigations.

  • Disable the “guest” and “demo” user accounts if enabled.
  • Use the “Lock Out” feature to lock out accounts for excessive invalid login attempts.
  • Use strong passwords.
  • Change default credentials
  • Limit user access to the file system following the instructions in the Niagara AX Framework
  • Software Security Alert below
  • Ensure that control systems are not directly Internet facing.

Tridium has released a Niagara AX Framework Software Security Alert.

Because each control system installation is unique, owners and operators may need to contact their system vendor or integrator for assistance. Owners and operators can also perform a comprehensive control system cybersecurity assessment using the DHS Control Systems Security Program (CSSP) Cyber Security Evaluation Tool (CSET)f. CSET is a free, downloadable, stand alone software tool that is designed to assist owners and operators to:

  • determine their current security posture,
  • identify where security improvements can/should be made,
  • map out the existing component/network configuration, and
  • output a basic cybersecurity plan.

A CSET fact sheet is available on the CSSP Web page; it explains the self-evaluation process and provides further information and assistance with the tool. The tool can be downloaded online or organizations can contact CSSP to request onsite training and guidance.

In addition, ICS-CERT recommends that control system owners and operators take defensive measures to minimize the risk of exploitation of these vulnerabilities. ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

  • Locate control system networks and devices behind firewalls, and isolate them from the business network.
  • If remote access is required, employ secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

The Control Systems Security Program (CSSP) also provides a recommended practices section for control systems on the US-CERT Web site. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Organizations that observe any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

Follow-Up

ICS-CERT released a follow-up advisory ICSA-12-228-01 Tridium Niagra Vulnerabilities to the ICS-CERT Web page on
August 15, 2012.

This product is provided subject to this Notification and this Privacy & Use policy.

Vendor

Tridium