SB2019092007 - Multiple vulnerabilities in Tridium Niagara
Published: September 20, 2019
Security Bulletin ID
SB2019092007
Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Local access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2019-8998)
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to the QNX procfs service provides access to various process information and assets. A local authenticated user can gain unauthorized access to a target address space
2) Improper Authorization (CVE-ID: CVE-2019-13528)
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to missing authorization checks. A local authenticated user can gain read access to privileged files.
The following versions are vulnerable:
- Niagara AX 3.8u4:
- OS Dist: 2.7.402.2
- NRE Config Dist: 3.8.401.1
- Niagara 4.4u3:
- OS Dist: 4.4.73.38.1 NRE Config
- Dist: 4.4.94.14.1
- Niagara 4.7u1:
- OS Dist: (JACE 8000) 4.7.109.16.1
- OS Dist (Edge 10): 4.7.109.18.1
- NRE Config Dist: 4.7.110.32.1
Remediation
Install update from vendor's website.