Regarding the Security Advisories Published by the ZDI on 8 August 2023

On August 8th, 2023, Trend Micro’s Zero Day Initiative (ZDI), the organizers of ICS Pwn2Own, published six security advisories relevant to all versions of Ignition 8.1. Inductive Automation’s response to each of these advisories can be found below.

Inductive Automation thanks the ZDI and security researchers for their hard work in finding and responsibly disclosing security vulnerabilities. 

In addition to the specific recommendations below, we generally recommend that Ignition users stay up to date with the latest stable version of Ignition and adhere to the Ignition Security Hardening Guide to reduce attack surface and minimize the impact of any successful attack. 

ZDI-CAN-17571

ZDI-CAN-17571 (CVE-2023-39472) requires an administrator to load a specially crafted malicious file. It takes advantage of an acknowledged parsing weakness when importing certain Ignition resources. The attacker could trigger an XML External Entity (XXE) attack that could lead to the disclosure of confidential data stored on an Ignition server.

A fix for this vulnerability is targeted for 8.1.32 (Sept. 2023). 

Recommended mitigation: train privileged users to import resources, configuration, and backup files only from trusted sources. 

ZDI-CAN-19915

ZDI-CAN-19915 (CVE-2023-39474) involves a threat actor replacing legitimate Ignition gateway binary files with maliciously crafted equivalents. This attack can be used to execute malicious code on the client when launching the Ignition Designer or Vision Client, not applicable to Perspective.   

Inductive Automation acknowledges the value of security controls to assure the integrity and authenticity of embedded binaries. Inductive Automation is actively pursuing security features to address CVE-2023-39474. 

Recommended mitigation: train users to only connect to trusted Ignition gateways with secure communication (https/TLS) and verify certificates.  

ZDI-CAN-17587, ZDI-CAN-20290, ZDI-CAN-20291

ZDI-CAN-17587 (CVE-2023-39473), ZDI-CAN-20290 (CVE-2023-39475) and ZDI-CAN-20291 (CVE-2023-39476) take advantage of a Java deserialization flaw within the Ignition Gateway. A threat attacker with privileged access could take advantage of the vulnerability by crafting a special payload that allows remote code execution on the target Gateway in a way that was not designed. Inductive Automation acknowledges the issue, and is actively working on secure design patterns to address the reported issues and larger class of vulnerability.

Recommended mitigation: ensure all Ignition Gateways in a Gateway Network are configured to require TLS and Two-Way Authentication. Approve only those certificates associated with Gateways you trust. External controls can also be helpful, such as using a firewall to limit Gateway Network traffic to only those Gateways which should be allowed to communicate with each other by design.

ZDI-CAN-20499

ZDI-CAN-20499 (CVE-2023-39477) involves an external trusted OPC UA client connection initiating a denial of service attack against the Ignition OPC UA server by programmatically starving resources. 

Inductive Automation acknowledges that denial of service attacks are possible with a trusted OPC UA connection and is looking into options for security controls to mitigate this class of attack. 

Recommended mitigation: only connect Ignition to trusted OPC UA clients or servers and segmenting Ignition Gateways from untrusted sources. Finally, adhere to the Ignition Security Hardening Guide to reduce the attack surface and minimize the impact of any successful attack.