There is a directory traversal and weak credential storage vulnerability with proof-of-concept (PoC) exploit code for Tridium Niagara AX Framework software.
The vulnerabilities are exploitable by downloading and decrypting the file containing the user credentials from the server, according to independent security researchers Billy Rios and Terry McCorkle. Since a report on the vulnerabilities became public, ICS-CERT issued a warning so users can prepare for any potential attacks.
After repeated attempts by the researchers and ICS-CERT to work with Tridium, the company finally said they were working on a solution. However, they do not have a patch yet.
Tridium did release a security alert with instructions on how to implement interim mitigations and they said they are testing a software update that will resolve these vulnerabilities.
The remotely exploitable vulnerabilities include a directory transversal that could lead to data leakage and weak credential storage, which could lead to privilege escalation.
Tridium Niagara is a software platform that integrates various different systems and devices and allows the user to manage them via the Internet.
Tridium sells its products and services through multiple distribution channels, which include OEMs/resellers, independent systems integrators, and energy service companies. Over 300,000 Niagara AX Framework applications are seeing use worldwide, including energy management, building automation, telecommunications, security automation, machine to machine (M2M), lighting control, maintenance repair operations (MRO), service bureaus and total facilities management, according to the Tridium Web site.
For now, Tridium recommends the following mitigations.
• Disable the “guest” and “demo” user accounts if enabled.
• Use the “Lock Out” feature to lock out accounts for excessive invalid login attempts.
• Use strong passwords.
• Change default credentials
• Limit user access to the file system.
• Ensure that control systems are not directly Internet facing.
Click here for the Tridium Niagara AX Framework software security alert.