Tridium Niagara

MonitorCVSS 7.8ICS-CERT ICSA-19-262-01Sep 19, 2019

Tridium

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Tridium Niagara controllers contain privilege escalation vulnerabilities (CWE-200, CWE-285) that allow a local user to gain administrative control. The vulnerabilities affect Niagara AX 3.8u4, Niagara 4.4u3, and Niagara 4.7u1 running on JACE-3e, JACE-6e, JACE-7, JACE-8000, and Edge 10 devices. These vulnerabilities are not remotely exploitable and require local system access or physical access to the device. Tridium has released mitigated versions with updated OS and NRE Config distributions for each affected product line.

What this means

What could happen

A user with local access to a Niagara controller could escalate privileges to gain full system control, allowing them to modify building automation settings, disable safety systems, or disrupt HVAC, lighting, or other building operations.

Who's at risk

Building automation and facility management operators using Tridium Niagara controllers (JACE-3e, JACE-6e, JACE-7, JACE-8000, and Edge 10 gateways) should prioritize patching. These devices typically control HVAC, lighting, fire suppression, and access control systems in buildings.

How it could be exploited

An attacker with physical access to a Niagara JACE device (or a user already logged into the system) could execute a local privilege escalation attack to gain administrative access to the controller. This would require physical presence or a prior shell on the device, such as through a vulnerable web interface if exposed on the local network.

Prerequisites

Physical access to the Niagara JACE device or existing local user account on the system
Low-level access to the operating system shell or ability to interact with local services
The affected versions: Niagara AX 3.8u4, Niagara 4.4u3, or Niagara 4.7u1

Low complexityRequires physical or local accessAffects facility control systemsMultiple versions affected with no clear upgrade path for older systems

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (3)

3 pending

ProductAffected VersionsFix Status

Niagara: 4.7u1 (JACE-8000 Edge 10)4.7u1 (JACE-8000 Edge 10)No fix yet

Niagara: 4.4u3 (JACE 3e JACE 6e JACE 7 JACE-8000)4.4u3 (JACE 3e JACE 6e JACE 7 JACE-8000)No fix yet

Niagara AX: 3.8u4 (JACE 3e JACE 6e JACE 7 JACE-8000)3.8u4 (JACE 3e JACE 6e JACE 7 JACE-8000)No fix yet

Remediation & Mitigation

0/6

Do now

0/1

HARDENINGLimit physical access to Niagara JACE devices and Ethernet ports to trained, trusted personnel only

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Niagara AX 3.8u4 to OS Dist 2.7.402.2 and NRE Config Dist 3.8.401.1

HOTFIXUpdate Niagara 4.4u3 to OS Dist 4.4.73.38.1 and NRE Config Dist 4.4.94.14.1

HOTFIXUpdate Niagara 4.7u1 to OS Dist 4.7.109.16.1 (JACE 8000) or 4.7.109.18.1 (Edge 10) and NRE Config Dist 4.7.110.32.1

Long-term hardening

0/2

HARDENINGReview and restrict list of users authorized to authenticate to Niagara controllers; remove inactive or unnecessary accounts

HARDENINGIf remote connections to Niagara systems are required, enforce VPN or other secure tunnel to protect management access

CVEs (2)

CVE-2019-8998 CVE-2019-13528

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/515038b3-2ed3-4198-8bd8-b31ec4f5be10

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.