Yesterday the folks at DHS ICS-CERT published
an advisory closing out the
earlier alert from July about the multiple vulnerabilities reported by
Billy Rios and Terry McCorkle in the Tridium Niagara AX Framework software
products.
Vulnerabilities
The advisory identifies four separate vulnerabilities (only
the first two were identified in the initial alert):
• Directory traversal;
• Weak credential storage;
• Plaintext storage of user names
and passwords in a cookie; and
• Predictable session IDs.
A moderately skilled attacker could remotely exploit these
vulnerabilities to gain control of the system.
Mitigation
There is a two-phase mitigation available for these vulnerabilities.
The system administrator must make some configuration changes to the system set
up and a
patch must be employed. According to ICS-CERT, Rios and McCorkle have
validated the success of the patch.
Posts
No comments:
Post a Comment