The DHS and ICS-CERT are warning users of some popular Tridium Niagara AX industrial control system software about a series of major vulnerabilities in the applications that are remotely exploitable and could be used to take over vulnerable systems. The bugs, discovered by researchers Billy Rios and Terry McCorkle, are just the latest in a series of vulnerabilities found in the esoteric ICS software packages that control utilities and other critical systems.
The string of bugs reported by Rios and McCorkle include a directory traversal issue that gives an attacker the ability to access files that should be restricted. The researchers also discovered that the Niagara software stores user credentials in an insecure manner. There are publicly available exploits for some of the vulnerabilities.
“By default, the Tridium Niagara AX software is not configured to deny access to restricted parent directories. This vulnerability allows a successful attacker to access the file that stores all system usernames and passwords. An attacker could exploit this vulnerability by sending a specially crafted request to the Web server running on Port 80/TCP,” ICS-CERT said in its advisory.
The weak password storage vulnerability also is a major concern, because it could enable an attacker to access the credentials easily.
“The system insecurely stores user authentication credentials, which are susceptible to interception and retrieval. User authentication credentials are stored in the Niagara station configuration file, config.bog, which is located in the root of the station folder,” the advisory said.
Rios and McCorkle found the vulnerabilities several months ago and reported them to ICS-CERT, which worked with Tridium to address the problems. However, the researchers said that Tridium was unresponsive to the problems. Some of the bugs became known more than a year ago when a user of the Niagara software found them during an audit.
“We are disappointed that even after discovering critical, remotely exploitable vulnerabilities in Tridium software… our government chose to purchase and implement the software anyway. We are disappointed that our tax payer money paid for the ignored security audit, paid for the acquisition, and paid for the implementation/deployment of known vulnerable software. We’d like to challenge our nation’s leadership to evaluate the failures in our current processes surrounding the acquisition of software that support Critical Infrastructure and Industrial Control Systems,” Rios wrote in a blog post last month.
“At times, we felt like ICS-CERT had their hands tied. We realize when you are working with vulnerabilities that could affect critical infrastructure, a delicate balance between disclosure and timely notification of affected organizations must be maintained. However, when a vendor is unresponsive or refuses to accept responsibility for an issue, ICS-CERT should have the authority to inform those customers who are vulnerable in a timely manner.”
Tridium has issued an alert about the problems and also published a patch to address them.
“The patch addresses the directory traversal and weak credential storage vulnerabilities disclosed in Tridium’s July 13 Security Alert. In addition, the patch addresses two other vulnerabilities Tridium has been made aware of regarding the predictability of web session IDs and the default encoding of credentials in authentication cookies. Both issues are corrected in this patch,” the company said in its patch announcement for Niagara 3.5 and 3.6.
In February, McCorkle, speaking about ICS vulnerabilities in general at the Kaspersky Lab-Threatpost Security Analyst Summit, said that the security environment in SCADA systems is decades behind the times.
“It turns out they’re stuck in the Nineties. The SDL doesn’t exist in ICS,” McCorkle said. “There are a lot of ActiveX and file format bugs and we didn’t even bother looking at problems with services. Ultimately what we found is the state of ICS security is kind of laughable.”