Multiple vulnerabilities in Tridium Niagara



Published: 2019-09-20
Risk Low
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2019-8998
CVE-2019-13528
CWE-ID CWE-200
CWE-285
Exploitation vector Local
Public exploit N/A
Vulnerable software
Subscribe 		Niagara 4 Framework
Universal components / Libraries / Scripting languages

Niagara AX Framework
Universal components / Libraries / Scripting languages

Vendor Tridium

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Information disclosure

EUVDB-ID: #VU21230

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-8998

CWE-ID: CWE-200 - Information Exposure

Exploit availability: No

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to the QNX procfs service provides access to various process information and assets. A local authenticated user can gain unauthorized access to a target address space

Mitigation

Contact vendor for available updates on support channel.

Vulnerable software versions

Niagara 4 Framework: 4.4.73.38.1 - 4.7.109.16.1

Niagara AX Framework: 2.7.402.2

CPE2.3 External links

http://www.tridium.com/~/media/tridium/library/documents/collateral/technical%20bulletins/qnx_vulnerability_fix.ashx?la=en

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Improper Authorization

EUVDB-ID: #VU21231

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-13528

CWE-ID: CWE-285 - Improper Authorization

Exploit availability: No

Description

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to missing authorization checks. A local authenticated user can gain read access to privileged files.

The following versions are vulnerable:
  • Niagara AX 3.8u4: 
    • OS Dist: 2.7.402.2
    • NRE Config Dist: 3.8.401.1
  • Niagara 4.4u3:
    • OS Dist: 4.4.73.38.1 NRE Config
    • Dist: 4.4.94.14.1
  • Niagara 4.7u1:
    • OS Dist: (JACE 8000) 4.7.109.16.1
    • OS Dist (Edge 10): 4.7.109.18.1
    • NRE Config Dist: 4.7.110.32.1

Mitigation

Contact vendor for available updates on support channel.

Vulnerable software versions

Niagara 4 Framework: 4.4.73.38.1 - 4.7.109.16.1

Niagara AX Framework: 2.7.402.2

CPE2.3 External links

http://ics-cert.us-cert.gov/advisories/icsa-19-262-01
http://www.tridium.com/~/media/tridium/library/documents/collateral/technical%20bulletins/qnx_vulne...

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###