CVE-2017-16748 – This vulnerability allows attackers to bypass a... (How to Fix)

Q: What is the severity of CVE-2017-16748?

CVE-2017-16748 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to bypass authentication on Niagara building automation systems by logging in with disabled accounts using blank passwords, granting full administrator access. It affects Niagara AX Framework versions 3.8 and earlier, and Niagara 4 Framework versions 4.4 and earlier. Organizations using these systems for building management, industrial control, or critical infrastructure are at risk.

📋 TL;DR

This vulnerability allows attackers to bypass authentication on Niagara building automation systems by logging in with disabled accounts using blank passwords, granting full administrator access. It affects Niagara AX Framework versions 3.8 and earlier, and Niagara 4 Framework versions 4.4 and earlier. Organizations using these systems for building management, industrial control, or critical infrastructure are at risk.

💻 Affected Systems

Products:

Niagara AX Framework
Niagara 4 Framework

Versions: Niagara AX ≤ 3.8, Niagara 4 ≤ 4.4

Operating Systems: Windows, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations with default authentication settings. Niagara systems are commonly used in building automation, industrial control, and critical infrastructure.

📦 What is this software?

Niagara by Tridium

View all CVEs affecting Niagara →

Niagara Ax Framework by Tridium

View all CVEs affecting Niagara Ax Framework →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to manipulate building controls, disable security systems, access sensitive data, or disrupt critical operations.

🟠

Likely Case

Unauthorized access to building management systems enabling surveillance, data theft, or manipulation of environmental controls.

🟢

If Mitigated

Limited impact with proper network segmentation, monitoring, and authentication controls in place.

🌐 Internet-Facing: HIGH - Systems exposed to internet are directly exploitable without authentication.

🏢 Internal Only: HIGH - Internal attackers or compromised internal systems can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple authentication bypass requiring only knowledge of disabled account names. No special tools or skills needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Niagara AX 3.8 UR 36, Niagara 4.4 UR 29

Vendor Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-18-191-03

Restart Required: Yes

Instructions:

1. Download patches from Tridium support portal. 2. Backup system configuration. 3. Apply patch according to vendor instructions. 4. Restart Niagara services. 5. Verify authentication works correctly.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Niagara systems from untrusted networks using firewalls.

Access Control Lists

linux

Restrict access to Niagara web interfaces and ports (typically 1911, 4911).

iptables -A INPUT -p tcp --dport 1911 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 1911 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate Niagara systems
Enable detailed logging and monitor for authentication attempts with disabled accounts

🔍 How to Verify

Check if Vulnerable:

Attempt to log into Niagara web interface with any disabled account name and blank password. If login succeeds, system is vulnerable.

Check Version:

Check Niagara version in web interface or via station properties in Workbench

Verify Fix Applied:

Attempt same login with disabled account and blank password - should be rejected. Verify patch version is installed.

📡 Detection & Monitoring

Log Indicators:

Failed login attempts with disabled accounts
Successful logins with blank passwords
Authentication events from unexpected sources

Network Indicators:

HTTP POST requests to /login with disabled usernames
Traffic to Niagara ports (1911, 4911) from unauthorized sources

SIEM Query:

source="niagara" AND (event_type="authentication" AND (username="disabled_*" OR password=""))

📊 Metadata

CVE ID: CVE-2017-16748

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

Published: August 20, 2018

Last Updated: November 21, 2024

🔗 References

http://www.securityfocus.com/bid/105101 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-18-191-03 Third Party Advisory,US Government Resource,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-19-022-01
http://www.securityfocus.com/bid/105101 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-18-191-03 Third Party Advisory,US Government Resource,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-19-022-01

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-16748, you might also want to check these: