18 Jul 2012

Vulnerability in Industrial Control Systems Software Discovered by DHS


Industrial control systems that can be managed via Internet through a technology called Niagara AX Framework were deemed vulnerable to attack by two security researchers working for the U.S. Department of Homeland Security (DHS).

Niagara’s developer, Tridium, issued a press release notifying all companies that currently rely on the software to disable “guest” and “demo” accounts and use the “lock out” feature whenever multiple failed login attempts are reported. Companies such as Boeing, ABB, Callaway and Whirlpool use the framework and over 300,000 copies of the software are installed around the world.

The DHS report contains proof-of-concept code that illustrates how user credentials can be downloaded and decrypted by accessing the server. The Industrial Control System Cyber Emergency Response Team (ICS-CERT) issued an alert with the vulnerability and notified Tridium of the problem.

“Independent security researchers Billy Rios and Terry McCorkle notified ICS-CERT of a directory traversal and weak credential storage vulnerability with proof-of-concept (PoC) exploit code for Tridium Niagara AX Frameworka software,” said the ICS-CERT report. “According to their research, the vulnerabilities are exploitable by downloading and decrypting the file containing the user credentials from the server.”

Tridium released its own alert, notifying users of the vulnerability, and detailed a couple of best practices that companies should set in place to avoid risks. The company also said it is testing a security update to fix the vulnerability.