Independent security researchers Billy Rios and Terry McCorkle notified ICS-CERT of a directory traversal and weak credential storage vulnerability with proof-of-concept (PoC) exploit code for Tridium Niagara AX Framework software.
According to their research, the vulnerabilities are exploitable by downloading and decrypting the file containing the user credentials from the server.
ICS-CERT has been in coordination with Mr. Rios, Mr. McCorkle and Tridium. Original attempts to coordinate vulnerability information were unsuccessful and ICS-CERT, in coordination with the researchers, was planning a release of the vulnerability information.
However, recent communications from Tridium indicated they were working on a solution, resulting in the delayed release of this Alert so that mitigations/patches could be prepared.
A public report was published detailing the vulnerabilities and as a result, ICS-CERT has shortened its release schedule and is issuing this Alert to warn the community of the unpatched vulnerabilities.
Tridium has released a security alert with instructions on how to implement interim mitigations. Tridium has stated that they are testing a software update that will resolve these vulnerabilities. ICS-CERT will issue an Advisory when the software update is available.
Vulnerability Type: Directory traversal
Remotely Exploitable: Yes
Impact: Data leakage
Remotely Exploitable: Yes
Impact: Privilege escalation
Tridium Niagara is a software platform that integrates various different systems and devices and allows them to be managed via the Internet.
Tridium sells its products and services through multiple distribution channels, which include OEMs/resellers, independent systems integrators, and energy service companies.
According to the Tridium Web site, over 300,000 instances of Niagara AX Framework are installed worldwide in applications that include energy management, building automation, telecommunications, security automation, machine to machine (M2M), lighting control, maintenance repair operations (MRO), service bureaus and total facilities management.
Tridium recommends the following mitigations:
• Disable the “guest” and “demo” user accounts if enabled.
• Use the “Lock Out” feature to lock out accounts for excessive invalid login attempts.
• Use strong passwords.
• Change default credentials
• Limit user access to the file system following the instructions in the Niagara AX Framework Software Security Alert below
• Ensure that control systems are not directly Internet facing.
Tridium has released a Niagara AX Framework Software Security Alert available here:
Because each control system installation is unique, owners and operators may need to contact their system vendor or integrator for assistance.
Owners and operators can also perform a comprehensive control system cybersecurity assessment using the DHS Control Systems Security Program (CSSP) Cyber Security Evaluation Tool (CSET).
CSET is a free, downloadable, stand alone software tool that is designed to assist owners and operators to:
• determine their current security posture,
• identify where security improvements can/should be made,
• map out the existing component/network configuration, and
• output a basic cybersecurity plan.
A CSET fact sheet is available on the CSSP Web page; it explains the self-evaluation process and provides further information and assistance with the tool. The tool can be downloaded online or organizations can contact CSSP to request onsite training and guidance.
The full ICS-CERT advisory can be found here: