ICS-CERT: Tridium Niagara Vulnerabilities

Monday, July 16, 2012

Infosec Island Admin

7fef78c47060974e0b8392e305f0daf0

Independent security researchers Billy Rios and Terry McCorkle notified ICS-CERT of a directory traversal and weak credential storage vulnerability with proof-of-concept (PoC) exploit code for Tridium Niagara AX Framework software.

According to their research, the vulnerabilities are exploitable by downloading and decrypting the file containing the user credentials from the server.

ICS-CERT has been in coordination with Mr. Rios, Mr. McCorkle and Tridium. Original attempts to coordinate vulnerability information were unsuccessful and ICS-CERT, in coordination with the researchers, was planning a release of the vulnerability information.

However, recent communications from Tridium indicated they were working on a solution, resulting in the delayed release of this Alert so that mitigations/patches could be prepared.

A public report was published detailing the vulnerabilities and as a result, ICS-CERT has shortened its release schedule and is issuing this Alert to warn the community of the unpatched vulnerabilities.

Tridium has released a security alert with instructions on how to implement interim mitigations. Tridium has stated that they are testing a software update that will resolve these vulnerabilities. ICS-CERT will issue an Advisory when the software update is available.

Vulnerability Type:  Directory traversal
Remotely Exploitable:  Yes
Impact:  Data leakage

Vulnerability Type:
Remotely Exploitable: 
Yes
Impact:  Privilege escalation

BACKGROUND

Tridium Niagara is a software platform that integrates various different systems and devices and allows them to be managed via the Internet.

Tridium sells its products and services through multiple distribution channels, which include OEMs/resellers, independent systems integrators, and energy service companies.

According to the Tridium Web site, over 300,000 instances of Niagara AX Framework are installed worldwide in applications that include energy management, building automation, telecommunications, security automation, machine to machine (M2M), lighting control, maintenance repair operations (MRO), service bureaus and total facilities management.

MITIGATION

Tridium recommends the following mitigations:

• Disable the “guest” and “demo” user accounts if enabled.
• Use the “Lock Out” feature to lock out accounts for excessive invalid login attempts.
• Use strong passwords.
• Change default credentials
• Limit user access to the file system following the instructions in the Niagara AX Framework Software Security Alert below
• Ensure that control systems are not directly Internet facing.

Tridium has released a Niagara AX Framework Software Security Alert available here:

Because each control system installation is unique, owners and operators may need to contact their system vendor or integrator for assistance.

Owners and operators can also perform a comprehensive control system cybersecurity assessment using the DHS Control Systems Security Program (CSSP) Cyber Security Evaluation Tool (CSET).

CSET is a free, downloadable, stand alone software tool that is designed to assist owners and operators to:

• determine their current security posture,
• identify where security improvements can/should be made,
• map out the existing component/network configuration, and
• output a basic cybersecurity plan.

A CSET fact sheet is available on the CSSP Web page; it explains the self-evaluation process and provides further information and assistance with the tool. The tool can be downloaded online or organizations can contact CSSP to request onsite training and guidance.

The full ICS-CERT advisory can be found here:

Source:  http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-195-01.pdf

Possibly Related Articles:
10868
SCADA
Industrial Control Systems
SCADA Vulnerabilities Exploits Infrastructure Proof of Concept Mitigation ICS-CERT Industrial Control Systems Directory Traversal
Post Rating I Like this!
Default-avatar
Fred Gordy I have been working the Tridium product for over a decade and have seen it evolve and grow to become a very substantial and robust platform. Just like with any product we have to accept part of the responsibility of how the product implemented and how we secure. There are built in features that allow you to secure the platform. The Tridium document entitled NetworkingITGuide.pdf is fairly comprehensive and outlines best practices that if followed can secure the system. Also some of the responsibility fall on the IT staff that the system is to be installed on. Because they are network devices (like any other device on a network), the IT staff needs to make sure the network is secure physically and firewalled correctly.

Tridium has not do a good job of promoting what is already built in but they have listened over the years and put in things such as LDAP integration, SSL, the ability to change ports, the ability to create security groups. The company that I work for makes it a priority to spend time with the IT staff prior to a job installation to make sure security requirements are met. We are able to use the documents supplied by Tridium to meet and exceed the security needs for any given job. My job specifically puts me in the position of working with IT managers, government agencies, etc. and this gives me an insight of what is expected and needed in order to secure an installation.

I believe what is lacking is education on what is built into the Tridium/Niagara platform and how to implement the best security strategy.

McKENNEY’S, INC.
Building A Higher Standard
Fred Gordy
Technology Evangelist
1343240083
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.