ICSA-18-333-02_Tridium Niagara Enterprise Security, Niagara AX, and Niagara 4

Monitor5.7ICS-CERT ICSA-18-333-02Nov 29, 2018

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Tridium Niagara versions 4.4u2, 4.6, AX 3.8u4, and Enterprise Security 2.3u1 contain a reflected cross-site scripting (XSS) vulnerability (CWE-79) in the web interface. An authenticated attacker or malicious link could inject JavaScript that executes in a user's browser session, potentially allowing unauthorized access to sensitive system data or execution of unauthorized commands within Niagara. The vulnerability requires valid credentials or user interaction (clicking a crafted link) to exploit.

What this means

What could happen

An authenticated user with login access could inject malicious JavaScript code into the Niagara web interface, potentially viewing sensitive information or performing unauthorized actions within the system if another user opens a crafted link. This is a reflected cross-site scripting (XSS) vulnerability that requires user interaction.

Who's at risk

Organizations running Tridium Niagara building automation systems (versions 4.4u2, 4.6, AX 3.8u4, or Enterprise Security 2.3u1) should be concerned. This affects water treatment facilities, municipal electric utilities, HVAC systems, and other building automation platforms that rely on Niagara for control and monitoring of critical infrastructure processes.

How it could be exploited

An attacker with valid Niagara login credentials, or who can trick an authenticated user via a crafted link, injects JavaScript into the web interface. The malicious script executes in the victim's browser within the Niagara session context, allowing the attacker to steal session tokens, view sensitive configuration data, or perform unauthorized changes to building automation settings (HVAC, lighting, access control setpoints).

Prerequisites

Valid Niagara user credentials (or ability to socially engineer an authenticated user to click a crafted link)
Network access to the Niagara web interface (typically port 80 or 443)
The victim must be logged into Niagara and click the malicious link while authenticated

Low authentication barrier (requires valid user login or social engineering)Remotely exploitable if web interface is accessible from the networkLow complexity attack (standard XSS injection)Affects building automation systems that manage critical operational processes

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

Niagara 4.4u2: all< 4.4.93.40.24.4.93.40.2

Niagara Enterprise Security 2.3u1: all< 2.3.118.62.3.118.6

Niagara AX 3.8u4: all< 3.8.401.13.8.401.1

Niagara 4.6: all< 4.6.96.28.44.6.96.28.4

Remediation & Mitigation

0/7

Do now

0/2

HARDENINGAudit and restrict the list of user accounts with Niagara authentication access; remove or disable unnecessary accounts

HARDENINGRestrict physical access to the system and network ports (Ethernet) to only trained and authorized personnel

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Niagara 4.4u2 to version 4.4.93.40.2 or later

HOTFIXUpgrade Niagara Enterprise Security 2.3u1 to version 2.3.118.6 or later

HOTFIXUpgrade Niagara AX 3.8u4 to version 3.8.401.1 or later

HOTFIXUpgrade Niagara 4.6 to version 4.6.96.28.4 or later

Long-term hardening

0/1

HARDENINGRequire VPN or other secure remote access controls for any off-site connections to the Niagara system

CVEs (1)

CVE-2018-18985

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2fe3d757-2bf7-4925-89aa-61f83397059c