ICS-CERT Warns of Serious Flaws In Tridium SCADA Software

← Back to Stories (view on slashdot.org)

ICS-CERT Warns of Serious Flaws In Tridium SCADA Software

Posted by timothy on Thursday August 16, 2012 @08:29AM from the their-security-problems-are-scadalous dept.

Trailrunner7 writes "The DHS and ICS-CERT are warning users of some popular Tridium Niagara AX industrial control system software about a series of major vulnerabilities in the applications that are remotely exploitable and could be used to take over vulnerable systems. The bugs, discovered by researchers Billy Rios and Terry McCorkle, are just the latest in a series of vulnerabilities found in the esoteric ICS software packages that control utilities and other critical systems. The string of bugs reported by Rios and McCorkle include a directory traversal issue that gives an attacker the ability to access files that should be restricted. The researchers also discovered that the Niagara software stores user credentials in an insecure manner. There are publicly available exploits for some of the vulnerabilities."

3 of 34 comments (clear)

Min score:

Reason:

Sort:

Big Suprise by Infin1niteX · 2012-08-16 08:45 · Score: 4, Insightful

All of these SCADA system were using security by obscurity or just no security at all for years. So we're going to keep seeing these alerts and warning for a while. Shoot we still see them with major desktop and server operating systems. If there is a reason to exploit a system, someone will figure out how to.
Re:Of course, since it's SCADA... by _0xd0ad · 2012-08-16 10:34 · Score: 4, Informative

Actually, it's designed to be web-facing.

Niagara^AX is a software framework and development environment that solves the challenges associated with building Internet-enabled products, device-to-enterprise applications and distributed Internet-enabled automation systems.
Worse, this is a laughably simple exploit of the web-facing interface:

By default, the Tridium Niagara AX software is not configured to deny access to restricted parent directories... An attacker could exploit this vulnerability by sending a specially crafted request to the Web server running on Port 80/TCP

"The system insecurely stores user authentication credentials, which are susceptible to interception and retrieval. User authentication credentials are stored in the Niagara station configuration file, config.bog, which is located in the root of the station folder"
In other words, it's about as simple as GET /../config.bog HTTP/1.1
Re:Of course, since it's SCADA... by superflex · 2012-08-16 11:17 · Score: 5, Informative

Sorry, what? It's not really SCADA? No, actually it's exactly SCADA.
SCADA is a general-use acronym, Supervisory Control And Data Acquisition. It has been in common use in the industrial control system world for at least 20 years. It is not a term specific to Siemens or any other control systems vendor. And it is not incorrect to apply the acronym to application areas like building automation; there can be a fair amount of overlap in system architecture, devices, & communication protocols between building automation and industrial manafacturing automation.
Source: 10 years experience as a industrial control systems engineer.

--
sigs are for suckers