Yesterday afternoon DHS ICS-CERT published a single update for two of their previously issued advisories for the Tridium Niagara Framework system (ICSA-12-228-01 and ICSA-13-045-01). The update was issued because:
“Tridium has now issued a product update that further enhances the security of the Niagara AX Framework as part of the company’s normal product release process.”
Actually, according to the Tridium June announcement they have updated the builds of the three latest versions of the NiagraAX Framework to include “significant changes to the way passwords are stored”. This potentially affects two of the vulnerabilities identified in the 2012 advisory, but it does not seem to have any effect on the directory traversal vulnerability reported in February.
It does seem odd that ICS-CERT has taken two months to mention these security updates from Tridium, but fails to mention two Webinars and two Tech Guides dealing with Niagara security measures that are also listed on the same web page referenced in this advisory update.