ICS-CERT Warns of Serious Flaws In Tridium SCADA Software

Trailrunner7 writes "The DHS and ICS-CERT are warning users of some popular Tridium Niagara AX industrial control system software about a series of major vulnerabilities in the applications that are remotely exploitable and could be used to take over vulnerable systems. The bugs, discovered by researchers Billy Rios and Terry McCorkle, are just the latest in a series of vulnerabilities found in the esoteric ICS software packages that control utilities and other critical systems. The string of bugs reported by Rios and McCorkle include a directory traversal issue that gives an attacker the ability to access files that should be restricted. The researchers also discovered that the Niagara software stores user credentials in an insecure manner. There are publicly available exploits for some of the vulnerabilities."

Big Suprise

[Infin1niteX]

All of these SCADA system were using security by obscurity or just no security at all for years. So we're going to keep seeing these alerts and warning for a while. Shoot we still see them with major desktop and server operating systems. If there is a reason to exploit a system, someone will figure out how to.

After All

[TheSpoom]

They would know.

Re:Of course, since it's SCADA...

[some old guy]

Mod Superflex up = Informative.

Every platform that I've ever worked with in 20+ years of industrial networking (yeah, I remember TISTAR over coax) has demonstrated it's own unique vulnerabilities that the vendors arrogantly ignore. The diligent engineer/integrator must, regardless of platform or deployment, be aware and take reasonable precautions.

Automation as an industry shares the same classic security handicaps as the internet and telecom industries: Careless users, badly written code, and low-budget management. We get paid to try to plug the holes.