Issue
I/A Series G3 Security Alert
Security Patch Released for 3.5 and 3.6 to remove a directory traversal vulnerability allowing a user with a valid user account or guest privileges to escalate his or her privileges on a NiagaraAX based system.
Product Line
TAC IA Series
Environment
IA Series G3 - Versions 3.5.xx and 3.6.xx
Cause
The patch addresses a new vulnerability that was publicly disclosed in January 2013 at a security analyst conference by two security researchers – Billy Rios and Terry McCorkle. The patch removes a directory traversal vulnerability allowing a user with a valid user account or guest privileges to escalate his or her privileges on a NiagaraAX based system.
Resolution
Schneider Electric strongly recommends all customers apply the security patch to any existing 3.5 or 3.6 systems to correct this vulnerability.
Customers with systems running a version of I/A Series G3 released prior to 3.5 should purchase an upgrade to the latest version of the Niagara Framework software in order to take advantage of the latest security improvements. Download and review TPA-IA-13-0003.00 Technical Product Advisory that details the vulnerabilities and security patch installation instructions.
Security patches are available for download from The EcoBuilding Download Center: Security Patches.
Note: The patch does not affect any standard Niagara configuration or functionality. The only impact of the change is to remove the vulnerability.