OTPulse
FeedAboutContact

Tridium Niagara Vulnerabilities

Low RiskICS-CERT ICSA-12-228-01AMay 19, 2012
Summary

Tridium Niagara AX Framework contains a path traversal vulnerability (CWE-22) that allows an attacker to read or write arbitrary files on affected systems. All versions of Niagara AX Framework are vulnerable. The vendor has not released a patch and no fix is currently available.

What this means
What could happen
An attacker with network access could read or write arbitrary files on the Niagara AX Framework system through path traversal, potentially compromising building automation controls or data integrity.
Who's at risk
Building automation operators and facility managers using Tridium Niagara AX Framework for HVAC, lighting, or other building control systems should be aware that all versions are affected and no patch is available from the vendor. This affects any facility relying on Niagara AX for supervisory control.
How it could be exploited
An attacker sends a specially crafted request containing path traversal sequences (e.g., "../../../") to the Niagara AX web interface or API endpoints. The vulnerable software fails to properly validate and sanitize the file path, allowing the attacker to access files outside the intended directory structure on the host system.
Prerequisites
  • Network access to Niagara AX Framework web interface or API ports
  • No authentication required to trigger the vulnerability
remotely exploitableno authentication requiredno patch availablepath traversal vulnerability
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
Niagara AX Framework software products: vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDDeploy a web application firewall (WAF) or intrusion prevention system (IPS) configured to block path traversal patterns (../../../, etc.) targeting Niagara AX endpoints
Mitigations - no patch available
0/3
Niagara AX Framework software products: vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement network segmentation to restrict access to Niagara AX Framework systems; limit inbound connections to only authorized engineering workstations and authorized users
HARDENINGMonitor Niagara AX Framework system logs and web server logs for suspicious file access patterns or path traversal attempts
HARDENINGContact Tridium for guidance on extended support or alternative mitigation strategies; evaluate migration to newer Niagara versions if available
View full CISA ICS-CERT advisory
โ†‘โ†“ Navigate ยท Esc Close
API: /api/v1/advisories/ee9518b0-c115-42cc-8fe8-e6286580fde1
Tridium Niagara Vulnerabilities - OTPulse