Tridium has released security patches to address a number of vulnerabilities that affect the Niagara AX control system framework. While such fixes are a good thing, it seems that it took the company almost one year to address them.
The Niagara Framework software is designed to enable the organizations to control and monitor various systems, even if they’re provided by different vendors, from a central point via web browser.
Billy Rios – the security researcher who back in December had a conflict
with Siemens regarding a vulnerability in SIMATIC
– and Terry McCorkle have identified the vulnerabilities that include weak credential storage, predictable session IDs, session cookie flaws, and a directory traversal, all of which can be exploited remotely.
The experts, along with the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), have done their best to work with the company on addressing the vulnerabilities, but they claim
that they’ve been dealing with an “unresponsive vendor.”
On August 15, ICS-CERT released an advisory
, advising all Niagara customers not only to apply the patches, but also to follow best security practices to ensure that their infrastructures were secured.