The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) informed organizations last week that Tridium’s Niagara product is affected by two vulnerabilities in BlackBerry’s QNX operating system for embedded devices.
Niagara is a popular framework designed for connecting and controlling a wide range of Internet of Things (IoT) devices present in buildings, factories and smart cities. CISA says the product is used worldwide, particularly in the commercial facilities, government facilities, critical manufacturing and IT sectors.
The QNX operating system images distributed by Tridium, a subsidiary of Honeywell, are affected by a couple of recently disclosed vulnerabilities. The security holes impact Niagara AX 3.8u4, Niagara 4.4u3 and Niagara 4.7u1.
The more serious of the two vulnerabilities, tracked as CVE-2019-8998 with a CVSS score of 7.8, was reported to BlackBerry by Johannes Eger and Fabian Ullrich of the Secure Mobile Networking Lab at TU Darmstadt in Germany.
According to an advisory published by BlackBerry in July, CVE-2019-8998 is an information disclosure issue related to the procfs service and it can be exploited for local privilege escalation.
Learn More About Flaws in Industrial Products at SecurityWeek’s 2019 ICS Cyber Security Conference
Ullrich told SecurityWeek that the vulnerability was found as part of a research project analyzing the security of IoT devices, although the research paper does not specifically mention QNX.
“QNX (like most UNIX systems) has the process memory of all processes mapped to ..
Support the originator by clicking the read the rest link below.
