Earlier today the DHS ICS-CERT published an advisory for a directory transversal vulnerability in the Tridium NiagaraAX software. Billy Rios and Terry McCorkle reported the vulnerability in a coordinated disclosure.
ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability and execute arbitrary code on the system. Tridium has produced version specific patches to mitigate the vulnerability, but there is nothing in the advisory to indicate that anyone has independently verified the efficacy of the patch.
The Earlier Advisory
Experiencing a sense of déjà vu I went back and did a search of my blog. Sure enough there was an earlier advisory for the Tridium NiagaraAX software based upon an earlier disclosure by Rios and McCorkle that included (among other vulnerabilities) a directory traversal vulnerability. Alert readers might recall that the coordinated disclosure in that case was outed by the Washington Post resulting in ICS-CERT issuing an alert for a coordinated disclosure
Now there is not a great deal of detail in these ICS-CERT advisories or alerts about the reported vulnerabilities. In the case of these two directory traversal vulnerabilities both involve access to the system via the Web server running on Port 80/TCP. Rios and McCorkle did verify that the earlier patch and recommended changes to the configuration setting corrected the vulnerability.
This means that either Rios and McCorkle found a completely separate vulnerability or they made a mistake in validating the earlier patch. I think I’ll vote with the former. It’s a shame that the Tridium engineers didn’t discover this second vulnerability when they were checking out the earlier directory traversal vulnerability. They could have corrected both at the same time and won kudos for catching the unreported vulnerability.