#VU21231 Improper Authorization


Published: 2019-09-20

Vulnerability identifier: #VU21231

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-13528

CWE-ID: CWE-285

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Niagara 4 Framework
Universal components / Libraries / Scripting languages
Niagara AX Framework
Universal components / Libraries / Scripting languages

Vendor: Tridium

Description

The vulnerability allows a local user to disclose sensitive information.

The vulnerability exists due to missing authorization checks. A local authenticated user can gain read access to privileged files.

The following versions are vulnerable:
  • Niagara AX 3.8u4: 
    • OS Dist: 2.7.402.2
    • NRE Config Dist: 3.8.401.1
  • Niagara 4.4u3:
    • OS Dist: 4.4.73.38.1 NRE Config
    • Dist: 4.4.94.14.1
  • Niagara 4.7u1:
    • OS Dist: (JACE 8000) 4.7.109.16.1
    • OS Dist (Edge 10): 4.7.109.18.1
    • NRE Config Dist: 4.7.110.32.1

Mitigation
Contact vendor for available updates on support channel.

Vulnerable software versions

Niagara 4 Framework: 4.4.73.38.1 - 4.7.109.16.1

Niagara AX Framework: 2.7.402.2


CPE

External links
http://ics-cert.us-cert.gov/advisories/icsa-19-262-01
http://www.tridium.com/~/media/tridium/library/documents/collateral/technical%20bulletins/qnx_vulne...


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability