Info

Disclosure

Aug 16, 2012

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Tridium NiagaraAX Framework contains a flaw that is triggered by the program storing credential information in plaintext when transferring it in cookies. This may allow a remote attacker to gain access to credential information by sniffing the network.

Classification

Location: Remote / Network Access
Attack Type: Cryptographic, Information Disclosure
Impact: Loss of Confidentiality
Solution: Solution Unknown
Exploit: Exploit Private
Disclosure: Third-party Verified
OSVDB: SCADA

Solution

OSVDB is not aware of a solution for this vulnerability.

Products

Tridium, Inc.

Niagara AX Framework

Unspecified

Schneider Electric

I/A Series G3

Unspecified

References

CVE ID: 2012-3025 (see also: NVD)
Related OSVDB ID: 84752
News Article: http://arstechnica.com/security/2012/07/ics-security-light-years-behind-itunes/
Other Advisory URL: http://buildingskb.schneider-electric.com/view.php?AID=10973
http://download.schneider-electric.com/files?p_File_Id=25785825&p_File_Name=TAC--I-A-Series-G3-Vulnerability-Disclosure_SEVD-12-230-0_17.08.2012.pdf
http://www.schneider-electric.com/download/ww/en/details/25785814-TAC-IA-Series-G3-Vulnerability-Disclosure/?reference=SEVD-12-230-01
http://www.us-cert.gov/control_systems/pdf/ICSA-12-228-01.pdf
http://xs-sniper.com/blog/2012/07/12/tridium-an-ics-learning-moment/
Vendor URL: http://www.tridium.com/cs/products_/_services/niagaraax
Vendor Specific News/Changelog Entry: http://www.tridium.com/cs/tridium_news/security_patch_36

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/84753