Tridium Niagara

Monitor4.3ICS-CERT ICSA-20-224-03Aug 11, 2020

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Tridium Niagara versions 4.6.96.28, 4.7.109.20, 4.7.110.32, 4.8.0.110 and Niagara Enterprise Security versions 2.4.31, 2.4.45, 4.8.0.35 contain a denial-of-service vulnerability. Successful exploitation could result in a denial-of-service condition on the Niagara system. The vulnerability is related to improper input handling (CWE-1088). Tridium has released mitigating updates available in Niagara 4.9.0.198 and Niagara Enterprise Security 4.9.0.60.

What this means

What could happen

Exploitation of this vulnerability could cause a denial-of-service condition on your Niagara building automation or enterprise security system, interrupting facility management and control functions until the system recovers or is restarted.

Who's at risk

Building automation and facility management operators using Tridium Niagara systems (versions 4.6, 4.7, 4.8, and Niagara Enterprise Security 2.4, 4.8) should update immediately. This affects water authorities, utilities, and other critical infrastructure that rely on Niagara for HVAC, lighting, access control, or enterprise security monitoring.

How it could be exploited

An attacker with network access to the Niagara system could send a malformed message or trigger a specific condition to crash or hang the service, preventing authorized users from managing building systems, process monitoring, or facility operations through the Niagara interface.

Prerequisites

Network access to the Niagara system (direct or via exposed Ethernet port)
No authentication required based on CVSS vector PR:N

remotely exploitableno authentication requiredlow complexityaffects availability of critical facility management systemsno patch available for several affected versions

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Niagara:4.6.96.28 | 4.7.109.20 | 4.7.110.32 | 4.8.0.1104.9.0.198

Niagara Enterprise Security:2.4.31 | 2.4.45 | 4.8.0.354.9.0.198

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGRestrict physical access to systems and devices with Ethernet connections to trained and trusted personnel only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Niagara to version 4.9.0.198 or later

HOTFIXUpdate Niagara Enterprise Security to version 4.9.0.60 or later

Long-term hardening

0/2

HARDENINGReview and validate the list of authorized users who can authenticate to Niagara

HARDENINGImplement VPN or secure tunneling for any required remote connections to the Niagara network

CVEs (1)

CVE-2020-14483

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dd31a101-f69e-49ef-ad38-b831650e01af