Earlier today the DHS ICS-CERT published an advisory
for a directory transversal vulnerability in the Tridium NiagaraAX software. Billy
Rios and Terry McCorkle reported the vulnerability in a coordinated disclosure.
This Advisory
ICS-CERT reports that a moderately skilled attacker could
remotely exploit this vulnerability and execute arbitrary code on the system.
Tridium has produced version
specific patches to mitigate the vulnerability, but there is nothing in the
advisory to indicate that anyone has independently verified the efficacy of the
patch.
The Earlier Advisory
Experiencing a sense of déjà vu I went back and did a search
of my blog. Sure enough there was an earlier
advisory for the Tridium NiagaraAX software based upon an earlier
disclosure by Rios and McCorkle that included (among other vulnerabilities) a
directory traversal vulnerability. Alert readers might recall that the
coordinated disclosure in that case was
outed by the Washington Post resulting in ICS-CERT issuing an alert for a
coordinated disclosure
Now there is not a great deal of detail in these ICS-CERT
advisories or alerts about the reported vulnerabilities. In the case of these
two directory traversal vulnerabilities both involve access to the system via
the Web server running on Port 80/TCP. Rios and McCorkle did verify that the earlier
patch and recommended changes to the configuration setting corrected the
vulnerability.
This means that either Rios and McCorkle found a completely
separate vulnerability or they made a mistake in validating the earlier patch.
I think I’ll vote with the former. It’s a shame that the Tridium engineers didn’t
discover this second vulnerability when they were checking out the earlier directory
traversal vulnerability. They could have corrected both at the same time and
won kudos for catching the unreported vulnerability.
Posts
No comments:
Post a Comment