On Friday the DHS ICS-CERT team published
an alert about vulnerabilities in the Tridium Niagara AX Framework
software. This is an unusual alert for a couple of reasons. First the
vulnerabilities were initially disclosed via a coordinated disclosure, second
it was outed by the Washington Post, and it isn’t really an ‘industrial’
control system in the way most of us think of a control system.
The Notification
Billy Rios and Terrry McCorkle initially reported to
ICS-CERT a directory traversal and a weak credential storage vulnerability in
the Tridium software. At first there wasn’t any action by Tridium and ICS-CERT
considered publishing an alert based upon that lack of action. Then Tridium
responded and ICS-CERT withheld the alert. But then the Washington Post
published an article (Hey. ICS-CERT published a link
to that article in a footnote in the Alert; more about that later.) about
the vulnerabilities (a nice detailed and well written article by the way). So
ICS-CERT was forced to publish this alert.
The Use of Niagara
The Niagara software is used to control a wide variety of
devices in applications that include “energy management, building automation,
telecommunications, security automation, machine to machine (M2M), lighting
control, maintenance repair operations (MRO), service bureaus and total
facilities management” (pg 2). Now these are certainly control applications but
not what is usually thought of as ‘industrial control’ (though the only actual
ICS attack that ICS-CERT has reported was on a building automation system). On
a special note, however, we should probably be really concerned about this
vulnerability in ‘security automation’; physical security systems are certainly
part of cybersecurity.
Mitigation
Tridium has provided some interesting mitigation measures
that can be taken while they are finishing work on a software update that will
fix the problem. Those recommendations include:
• Disable the “guest” and “demo”
user accounts if enabled.
• Use the “Lock Out” feature to
lock out accounts for excessive invalid login attempts.
• Use strong passwords.
• Change default credentials
• Limit user access to the file
system following the instructions in the Niagara AX Framework Software Security
Alert below
• Ensure that control systems are
not directly Internet facing.
Since the whole point of Niagara is the remote control of
various devices via the internet the last point is kind of silly. I suppose
what Tridium is trying to say is that access to the system should be through a
virtual private network (VPN), but that is effectively not much protection when
access to VPNs via any number of social networking attacks is so easily
available. Hopefully, the patch will provide better security to these systems.
ICS-CERT Acknowledgement
It was very interesting to see ICS-CERT not only acknowledge
the identity of the agency that publicly disclosed the vulnerability (an
improvement in process that I noted last year) but also the provision of a link
to that disclosure. Back in February Dale Peterson and I discussed
this in an exchange of comments here on this blog. We both agreed that it
is important for ICS-CERT to provide links to disclosures.
This is the first time that a publication of ICS-CERT has
included such a link. I would like to think that the comments in this blog
helped to influence the provision of that link. Unfortunately, I think that
there is a better explanation for this disclosure; compared to the standard
security researcher the Washington Post is the 8,000 lb. gorilla in the room;
failure to provide the link might attract the wrath (and perhaps legal
department) of the WP.
To prove that I am wrong all ICS-CERT has to do is to insure
that all future alerts include links to the actual disclosure.
Posts
No comments:
Post a Comment