Customer Support

What can we help you with?

Find the Help You Need

Have a question? Find the answers you need by searching our knowledge base, visiting our community forum or watching our helpful online training videos.

Contact Us

Our support team is available to help you Monday - Friday 6am - 5pm PST.

Phone
Inductive Automation Corporate
+1 (800) 266-7798 Toll Free (USA)
+1 (916) 456-1045 International


Other Ways to Get Help

RSS Feed

Latest Updates

Jul
28
7.7.5 Now Available
Posted by Peggie Wong on 07/28/2015 08:33 AM

The 7.7.5 official release is now available for download on the Ignition downloads page, which you can find here. It contains new features and bug fixes. You can view a complete list of this in the change log here.

7.7.5 is now the recommended download for new installations and upgrades.


Read more »



Apr
2
ICS-CERT Advisory ICSA-15-090-01
Posted by Dave Fogle on 04/02/2015 01:38 PM

Overview

On March 31st, 2015, ICS-CERT published an advisory regarding Ignition that includes five separate security issues. These issues are not highly dangerous exploits, and most customers will not require immediate action to mitigate the risk that these issues pose. To facilitate better understanding of each issue included in the advisory, we describe each one here in terms relevant to users of Ignition, as well as the security impact and risk mitigation factors for each issue. 

Advisory Breakdown

All of these issues are resolved in Ignition 7.7.4, and will be backported to the next 7.5 LTS release, 7.5.14

 Cross-site scripting (XSS) CVE-2015-0976

When you web-launch a Vision client, you use a technology called Java Web Start. The way this works is that you go to a URL on our Ignition Gateway, and it generates a "JNLP" file for the Vision Client application. Java Web Start then reads this JNLP file, and it contains the information needed to download and launch our client application. This vulnerability involves creating a carefully manipulated URL, which causes the JNLP to tell Web-Start to load a different program, instead of our client application. The impact here is that if an attacker created a URL that loaded their own program and then convinced someone that it was a genuine Ignition URL, they could have that person launch a malicious application. Low impact, mitigated by ensuring you don't launch the Vision Client from an un-trusted link (for example, an unsolicited email), or by using the Native Client Launcher.

Information Exposure Through Error Message CVE-2015-0991

This vulnerability is describing how our Gateway responds to certain invalid URLs with an error message, and that error message has information about the server and application that generated it. Best practice is to not leak this sort of information via error messages. Very low impact.

Insecure Storage of Sensitive Information CVE-2015-0992

When you configure an OPC server connection, you have to provide credentials for the connection. We store those connections in our internal database of settings for the Ignition Gateway. Previous to Ignition 7.7.4, these credentials were being stored in plain text inside this database. As of 7.7.4, the credentials are encrypted. In order to exploit this vulnerability, an attacker would need to have local disk access to the server running the Gateway. Low impact, mitigated by protecting local disk access to the Ignition Gateway server.

Insufficient Session Expiration CVE-2015-0993

When you log into the configuration section of the Ignition Gateway, you get an authorized session. This vulnerability describes a way in which your authorized session could still be used for a short time even after you have logged out. An attacker who had captured session information from the network would then be able to replay commands using the authorized session. Medium impact, high sophistication level required. Mitigated by using SSL.

Bypass Anti-Bruteforce CVE-2015-0994

When you log into the Ignition Gateway, you may only enter a failed password a small number of times before the gateway blocks you from trying again for about a minute. This is called an anti-brute-force protection. It protects against someone running a program that attempts to log in tens of thousands of times in a row, using a dictionary of commonly used passwords. By injecting a delay, the brute-force mechanism is slowed down so much that it would take an unreasonable amount of time to try all of the known, common passwords. This vulnerability describes a manner in which our brute force mechanism could be bypassed. Low impact, mitigated by using good passwords.

Use of Password Hash with Insufficient Computational Effort CVE-2015-0995

When you manage users within Ignition, the Ignition Gateway stores the usernames in the internal settings database. Their passwords, however, are not actually stored. Something called a "hash" of the password is stored instead. A hash is like a one-way encoding. Given a password, it will always create the same hash number, but you cannot take a hash number and derive the password. This is a safety mechanism that lets us check that a password is correct, without actually storing the password so that if someone has a gateway backup, they cannot see the passwords inside it. We had been using a hashing mechanism called "MD5". This mechanism is out of date, and no longer considered secure, because there exist things called "rainbow tables" which are huge tables of md5 hashes for common passwords. As of Ignition 7.7.4, we have updated the passwords to use a salted SHA-256 hashing strategy. Low impact, mitigated by using good passwords.


Read more »



Mar
31
7.7.4 Available Now
Posted by Dave Fogle on 03/31/2015 08:52 AM

The 7.7.4 official release is now available for download on the Ignition downloads page, which you can find here. It contains new features and bug fixes. You can view a complete list of this in the change log here.

7.7.4 is now the recommended download for new installations and upgrades.


Read more »



Feb
26
7.7.3 Official Release
Posted by Peggie Wong on 02/26/2015 09:39 AM

The 7.7.3 official release is now available for download on the Ignition downloads page, which you can find here. It contains new features and bug fixes. You can view a complete list of this in the change log here.

7.7.3 is now the recommended download for new installations and upgrades.


Read more »



Sep
16
Inductive Automation Launches Improved Support Portal
Posted by Dave Fogle on 09/16/2014 02:51 PM

Inductive Automation Launches Improved Support Portal

Provides Fourth Avenue for Support Alongside Phone, Email, and Forum

 

Welcome to the new Inductive Automation Support Portal.

In order to offer better support, better communication, and more transparency to the whole support process, as well as to provide a historical log of support issues, we have made some changes and added a few new features to the Support Portal.

Up until now, we have offered you three main avenues for getting support from the IA staff and the rest of the Ignition community: Phone Support, Email Support, and the Inductive Automation Forums. Now we are adding a fourth avenue. Starting today, you will also be able to submit support issues via the new IA Support Portal. We are also rolling in Phone Support and Email Support so that all issues, no matter how they are reported, can be viewed from a single location.

Issues submitted through the IA Support Portal are similar to issues submitted by emailing the support@inductiveautomation.com address, but the main difference is that you can open these support tickets from the same location that you come to when looking for Knowledge Base articles and self-help solutions. If you don’t find what you’re looking for in the Support Portal, then you can submit a ticket without navigating away to your email client.

All your support issues, whether submitted by phone, email, or through the portal, will be tracked and visible to you once you log in to your account using the new IA account login system. You will be able to see replies from Support Engineers regarding your open tickets, documentation of topics covered on a support call made by the representative you spoke with, the full email chain for tickets submitted by email, and track the progress of your support ticket through different departments as it progresses from its initial Open state to the point where it’s Resolved or Closed. All of your communication regarding a specific issue will be collected and stored in one convenient location that you can log into and view.

Over the coming months, a few new features will be rolled out, and there will also be an increase in the breadth of topics covered in the Knowledge Base article library. It’s going to be an exciting few months with new resources becoming available to help you get the most out of Ignition and make the learning process a little easier. Keep an eye on the News section in the Support Portal for updates on new features, important support-related announcements, and general information regarding the Inductive Automation Support Team.

 

- Dave Fogle, Director of Support Services, Inductive Automation


Read more »