Yesterday the folks at DHS ICS-CERT published an advisory closing out the earlier alert from July about the multiple vulnerabilities reported by Billy Rios and Terry McCorkle in the Tridium Niagara AX Framework software products.
The advisory identifies four separate vulnerabilities (only the first two were identified in the initial alert):
• Directory traversal;
• Weak credential storage;
• Plaintext storage of user names and passwords in a cookie; and
• Predictable session IDs.
A moderately skilled attacker could remotely exploit these vulnerabilities to gain control of the system.
There is a two-phase mitigation available for these vulnerabilities. The system administrator must make some configuration changes to the system set up and a patch must be employed. According to ICS-CERT, Rios and McCorkle have validated the success of the patch.