I/A Series G3 Security Alert – Security Patch Released for 3.5 and 3.6 to remove a directory traversal vulnerability allowing a user with a valid user account or guest privileges to escalate his or her privileges on a NiagaraAX based system.
IA Series G3 - Versions 3.5.xx and 3.6.xx
The patch addresses a new vulnerability that was publicly disclosed in January 2013 at a security analyst conference by two security researchers – Billy Rios and Terry McCorkle. The patch removes a directory traversal vulnerability allowing a user with a valid user account or guest privileges to escalate his or her privileges on a NiagaraAX based system.
Schneider Electric strongly recommends all customers apply the security patch to any existing 3.5 or 3.6 systems to correct this vulnerability.
Customers with systems running a version of I/A Series G3 released prior to 3.5 should purchase an upgrade to the latest version of the Niagara Framework software in order to take advantage of the latest security improvements. Download and review TPA-IA-13-0003.00 Technical Product Advisory that details the vulnerabilities and security patch installation instructions.
Security patches are available for download from The Ecobuildings Download Center: Security Patches.
Note: The patch does not affect any standard Niagara configuration or functionality. The only impact of the change is to remove the vulnerability.