News Vulnerability Management

Cisco Warns Of Security Flaws In Building Management System

Multiple vulnerabilities could enable attackers to access power, HVAC, and physical security systems

Tim Wilson May 27, 2010

Cisco Systems yesterday revealed details of multiple security vulnerabilities in a device that many companies use to centrally control building power, ventilation, lighting, and security systems remotely via the data center.

In a security advisory issued Wednesday, Cisco warned users of its Network Building Mediator products to patch the vulnerabilities, which could allow access to obtain administrative passwords and read system configuration files, making it possible for hackers to take control of a building's most critical control systems.

More Security Insights

White Papers

More >>

Reports

More >>

Webcasts

More >>

"Successful exploitation of any of these vulnerabilities could result in a malicious user taking complete control over an affected device," the advisory states. The flaws also have been found in older products from Richards-Zeta, the company that originally designed the system, which was acquired by Cisco.

One flaw could enable low-level employees to gain full control of the device by accessing default administrative accounts, Cisco says. Other bugs might allow insiders to intercept traffic as it travels between an administrator and the Building Mediator.

The device, which collects data in a variety of formats and presents it on a single screen, is designed to automate a multitude of facilities management tasks. However, this consolidation could also turn the system into a single point of attack, experts say.

Cisco has released free software updates that address the vulnerabilities. Workarounds that mitigate some of the listed vulnerabilities are also available.

The bugs were discovered during internal testing, and Cisco does not know of any actual expoits yet, the advisory says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Dark Reading Discussions

Start the Discussion

To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.

Follow Dark Reading

Dark Reading Reports

How Attackers Choose Which Vulnerabilities To Exploit

In the increasingly complex world of information security, it's important for security professionals to be able to understand not only how their organization's systems and data may be compromised but why. In this Dark Reading report we examine why certain vulnerabilities are exploited, by whom and with what. We also provide recommendations for getting out infront of hackers by using some of the same tools and strategies they do.
Assessing Risk and Prioritizing Vulnerability Remediation

Vulnerability remediation is a never-ending process, but, even so, security pros can't plug every hole in every asset and application. The key is to determine which vulnerabilities are most likely to be exploited and the effects such exploits would have on the business. To do this, security pros must know the business and its technology usage and needs intimately, a process that must involve stakeholders across the organization. In this report we recommend the steps that should be taken to determine the risk of vulnerabilities and the lengths to which remediation can and should go.
Finding Vulnerabilities By Attacking Your Own Environment

Vulnerability scans are valuable, but you have to think and act like a hacker if you want to truly understand the ways in which your organization could be compromised. In this report, Dark Reading recommends the tools and methodologies that can be used to test your organization's security.

Other reports from the Vulnerability Management Tech Center:

Related Content

Sponsored by

Mobile Devices Drive Majority of Endpoint Security Concerns

The results of the 2013 State of the Endpoint study tracked endpoint risk in organizations, the resources to address the risk and the technologies deployed to manage threats. This study reveals that the state of endpoint risk is not improving and one of the top concerns is the proliferation of personally owned mobile devices in the workplace such as smart phones and iPads. Download "Mobile Devices Drive Majority of Endpoint Security Concerns" to review some of the most noteworthy survey findings, address the difficulties in managing the endpoint risk, and review recommendations to make improvements.
IT Pros Guide to Data Protection: Top 5 Tips to Securing Data in the Modern Organization

Ready your organization for more robust data protection measures by first implementing these five steps to improve data security in a business- and cost-effective manner.
Best Practice Guide to Addressing Web 2.0 Risks

With the rise of user-generated content, social networks and readily available information offered by the Web 2.0-enabled workplace, users are more connected to people and ideas than ever before. This new level of connectivity also introduces significant risk. Organizations need to find the proper balance of risk vs. productivity through improved policy, controls and education of users.
Closing the Antivirus Protection Gap: A Comparative Study on Effective Endpoint Protection Strategies

Corporate economic concerns have put increased pressure on already limited IT resources in recent years as the onslaught of malware and sophistication of cyber attacks continues to grow at exponential rates. As a result, 50% of endpoint operating costs are directly attributable to malware,1 yet, corporate IT budgets are still focused on maintaining stand alone antivirus as the keystone in endpoint security. In this paper, we will benchmark the effectiveness of standalone AV and O/S resident patching solution versus newer technologies and a defense-in-depth of approach of layering multiple endpoint security and operational technologies together.
Lumension Guide to Device Control Best Practices

USB flash drives and other removable storage devices continue to proliferate throughout organizations. This could result in the loss or theft of your sensitive corporate and customer data, or in the propagation of malware like Stuxnet. Fortunately, powerful data protection tools are now available to help mitigate these risks, while still enabling flexible and managed use of these productivity devices. Learn about the best practices for deploying device control within your environment. Walk away with the recommended process to successfully prepare, enforce and manage the use of removable devices and media, and to protect your sensitive data.

Free Research and Reports

What's this?From the Editors of DarkReading

More >>

Box Icon

Whitepapers

What's this?

More >>

Box Icon

Dark Reading Digital Magazine

Back Issues

In This Issue

Endpoint Security: End user security requires layers of tools and training as employees use more devices and apps.
Security Isn't A Piece Of Cake: It's time we rethink the conventional wisdom about security layering.
BYOD Is Here To Stay: Trying to keep employees' devices off the network is futile.

Download Now

First Name*:
Last Name*:
Email Address*:
Job Title:
Company/Organization/Gov't Dept.:
*Required field
Privacy Statement

Security

Protect The Business - Enable Access

News Vulnerability Management

Cisco Warns Of Security Flaws In Building Management System

Multiple vulnerabilities could enable attackers to access power, HVAC, and physical security systems

More Security Insights

White Papers

Reports

Webcasts

Related Reading

Dark Reading Discussions

Start the Discussion

Follow Dark Reading

Dark Reading Reports

How Attackers Choose Which Vulnerabilities To Exploit

Assessing Risk and Prioritizing Vulnerability Remediation

Finding Vulnerabilities By Attacking Your Own Environment

Sign up for the Dark Reading Daily email newsletter

Free Research and Reports

Whitepapers

Upcoming Events

Dark Reading Digital Magazine

In This Issue

News Vulnerability Management

Cisco Warns Of Security Flaws In Building Management System

Multiple vulnerabilities could enable attackers to access power, HVAC, and physical security systems

More Security Insights

White Papers

Reports

Webcasts

Related Reading

Dark Reading Discussions

Start the Discussion

Follow Dark Reading

Dark Reading Reports

Related Content

Dark Reading Newsletter

Sign up for the Dark Reading Daily email newsletter

Free Research and Reports

Whitepapers

Upcoming Events

Dark Reading Digital Magazine

In This Issue