On Apr 12, 2022 the Cybersecurity and Infrastructure Security Agency (CISA) published an Industrial Control Systems (ICS) Advisory ICSA-22-102-03 which discloses a security vulnerability in one of Ignition’s config pages which was patched in version 8.1.10.
This particular security vulnerability takes advantage of a flaw within the Ignition Exchange config page introduced in version 8.0.5. The “Import Package File” functionality was vulnerable to Path Traversal attacks. An attacker could craft a special type of zip file that would cause the Gateway to extract files within the zip to arbitrary locations of the attacker’s choosing on the Gateway’s filesystem, essentially escaping the directory designated for the exchange resource extraction.
This vulnerability requires a user with config level access to exploit the system. An attacker could directly exploit this vulnerability if they have config level access, though an attacker would already have the highest level of access possible at that point, so this vulnerability provides no additional benefit.
A much more likely attack scenario would be to target a trusted user with config page access. If the attacker could persuade the victim to upload their malicious zip file under the guise of a trusted exchange resource, the attacker could get the victim to write their malicious files to whatever location they’d like on the Gateway.
To mitigate this vulnerability, Inductive Automation recommends users upgrade to the latest stable version of Ignition (or at the very least, version 8.1.10, where this vulnerability is patched). Train users with config page access to maintain strong passwords and practice secure credentials management practices. Consider using an IdP which supports two-factor authentication. Train users to only use exchange resources from trusted sources. Finally, harden Ignition and its environment to reduce the attack surface and minimize the impact of any successful attack.
Inductive Automation would like to take this opportunity to thank the researchers at Claroty for responsibly disclosing the vulnerability.