Trust Center

As an update to our Technical Advisory on 8 August 2023, Inductive Automation is actively addressing vulnerabilities disclosed earlier this month as a top priority. ZDI-CAN-17571 (XXE attack) will be fixed in Ignition 8.1.32 (Sep 12th release). ZDI-CAN-20499 (OPC-UA resource exhaustion) is on track for 8.1.33 (Oct 17th). We completed design work including threat modeling and attack surface analysis and are working on implementation work addressing Java deserialization vulnerabilities. Additional reports have been submitted to IA from security researchers following the ZDI disclosure this month. These are being verified in detail and are believed to be variants of existing submissions that will be addressed by upcoming updates. These vulnerabilities can be mitigated by following best practices from the Ignition Security Hardening Guide, especially related to proper network segmentation, keeping the environment up to date, and working with trusted files and systems.

Today, the Zero Day Initiative (ZDI) published six security advisories related to Ignition 8.1. We are actively investigating and working on fixes. You can read our response to each of these advisories and our recommendations for mitigation at: http://support.support.staging.shop.vogue-hairsalon.com/hc/en-us/articles/18333051904653--Tech-Advisory-Regarding-the-Security-Advisories-Published-by-the-ZDI-on-8-August-2023

Trust Center Updates are the primary public information conduit for Coordinated Vulnerability Disclosure (CVD) with Ignition. Please subscribe for email updates. Posts and associated emails summarize Ignition-related vulnerabilities, issues, impact, and recommendations. Technical Advisory links will often include additional information.

Inductive Automation takes pride in significant investment in stability, security, quality, and privacy throughout the entire Ignition secure Software Development Lifecycle (SDLC) and associated processes. This includes a commitment to prioritize resolution, proactively seek vulnerabilities, and be transparent with our outstanding community. We love hiring regular third-party penetration testing and participating in the S4x Pwn2Own competition each year!

Recommendations: Inductive Automation provides resources such as the Ignition Security Hardening Guide and the Ignition Server Sizing and Architecture Guide. The online user manual, Inductive University, and forum, also provides free resources. Paid training is also available.

Inductive Automation recommends partnering with one of the thousands of System Integrators who can help navigate the process of securing and assuring Ignition within the customer environment throughout the system lifecycle in accordance with business requirements.

Reporting and communication: Inductive Automation welcomes all feedback, especially on security-related matters. The best email address is: security@vogue-hairsalon.com, using the Inductive Automation public PGP key 如果需要加密通信. Support, Account Representatives, and Sales Engineers are also available to help.

Inductive Automation fixed an RCE vulnerability disclosed by the Zero Day Initiative (ZDI), independently exploited by Team82 (Claroty) and 20urdjk "Urge" security researchers as part of the ICS Pwn2own 2023 ethical hacking competition. The update will be included in 8.1.26, available in the "nightly" build on Feb 17th.

http://support.staging.shop.vogue-hairsalon.com/downloads/ignition/

Great work from ZDI, Claroty, "Urge", and the Inductive Automation Development and QA teams!!!

Announcement. Inductive Automation will be back to compete in the ICS/SCADA-themed Pwn2Own event at S4x in Miami for the “OPC UA Server” and “OPC UA Client” categories. Attack Scenarios are: Denial of Service (DOS), Remote Code Execution (RCE), Credential Theft, and Bypass Trusted Application Check. Other categories include “Data Gateway” and “Edge”.

Best of luck to all participants! Updates to follow as vulnerabilities are found and fixed!

ZDI Announcement

False positive. The best practice configuration recommendation is to enforce http (TLS 1.2+) with genuine certificates in accordance with the Ignition Security Hardening Guide, preferably enabling HSTS.

Background. Some cybersecurity scanning tools flag on a URL string like "idp/default/authn/login?token=xxxx", assuming that the token is a session identifier. It is not. The token is a cryptographic nonce with a short "time to live" value. Ignition uses the token to orchestrate the handoff between the internal Ignition Identity Provider's OpenID Connect authorization endpoint and the authentication workflow. This is separate from a possible nonce variable that might also appear in the same URL string.

The token is bound to the user's session which is tracked by an HTTP cookie passed in the HTTP headers. The session cookie is protected when Ignition is properly configured to use http. Therefore, it follows that as long as a user's session is secure, associated tokens will also be secure, even if they are leaked, since an attacker would have to know the session ID in order to use the token.

Informational. Ignition is not affected by the OpenSSL vulnerabilities in CVE-2022-3786 and CVE-2022-3602. No action required.

After a comprehensive search for usage of the offending libraries, Inductive Automation has determined that Ignition has no reliance on, and found no evidence of OpenSSL 3.0.x.

Informational. Recommend upgrading to Ignition 8.1.23+. Ignition 8 versions before 8.1.23 are bundled with a vulnerable version of the Apache Commons Text library. However, Inductive Automation assesses the vulnerability at “low risk” based on the fact that Ignition does not invoke any of the vulnerable functions. In other words, a local cybersecurity scanning tool+ may note the existence of the binary, but associated exploits are unlikely to work.

Version 8.1.23+ updates the dependency to 1.10.0, which fixes the CVE.

Tech advisory link.

Informational. Low impact. Upgrade to 8.1.23+ to fix. Ignition 8 versions before 8.1.23 do not properly process SVG images stored in pre-release (Alpha and Beta) versions of 8.x (prior to April 10, 2019).

The tech advisory provides upgrade instructions.

Informational. Ignition version 8.1.22, released 11/1/2022, includes an updated version of its Internal Database (SQLite) that requires a newer version of GLIBC on Linux systems running on ARMv6 and ARMv7 hardware.

The minimum required GLIBC version on ARMv6 and ARMv7 hardware will increase from v2.4 to v2.28. Consequently, some older operating systems that ship with older versions of GLIBC will be unable to run newer versions of Ignition.

The minimum required GLIBC version on x86-64 hardware remains v2.3.

Known affected: Debian 9 and its derivatives such as Raspbian 9 Debian 9 reached EOL status on June 30, 2022

Tech advisory link.

Update Ignition to 8.1.8 or greater. On July 26, 2022 the Cybersecurity and Infrastructure Security Agency (CISA) published an Industrial Control Systems (ICS) Advisory ICSA-22-207-01 disclosing Ignition security vulnerability CVE-2022-1704 that was patched in version 8.1.8.

The vulnerability enables an attacker to compromise an Ignition Gateway if a privileged Ignition user restores a maliciously crafted backup file.

Tech advisory link

Configure Ignition Gateway MS SQL Server connections to use TLS 1.2 or 1.3. A Java 8 (8u291+) and corresponding Java 11 (11.0.11+) security update disables the use of TLS 1.0 and 1.1, which is a recommended cybersecurity best practice. The recommended fix is to update MS SQL Server database connections on Ignition gateways (not individual Vision or Perspective runtime clients) to TLS 1.2 or 1.3. This might require configuration changes on the database server(s). Seek support from IT departments as applicable.

The IA Tech advisory includes instructions including links from Microsoft. Alternatively, it describes how to configure Java to connect using less secure TLS 1.0 or 1.1 (not recommended).

Update Ignition to 8.1.17 or greater. On April 19-21, 2022, Trend Micro’s Zero Day Initiative (ZDI) brought their Pwn2Own competition back to the ICS world for a second time at the S4x22 conference. Inductive Automation eagerly participated after a successful ICS Pwn2Own at S4x20.

The Pwn2Own competition resulted in 32 entries registered by 11 contestants. Of 6 entries targeting Ignition, 4 successfully demonstrated unique exploits, 1 was a duplicate, and 1 failed to be successfully demonstrated in the time allotted. All 6 entries targeting Ignition were responsibly disclosed to Inductive Automation. One additional finding was separately disclosed by researchers who were unable to compete.

Inductive Automation thanks the ZDI and all participating researchers.

See tech advisory for detailed information.

Informational. Ignition no longer supports Single Sign On (SSO) with native Active Directory user source profiles (LDAP based). There will not be a “fix” using this technology set. The implication is that a user must separately log on to Windows and Ignition environments (Designer, Gateway, and Clients). Inductive Automation recommends integration with Identity Providers using the modern OpenID Connect or SAML protocols. For Microsoft environments, this could be AzureAD or many other options.

Tech advisory link

No known Ignition impact. On April 13, 2022 the Cybersecurity and Infrastructure Security Agency (CISA) published National Cyber Awareness System (NCAS) Alert ICSA-22-102-03 (pdf Report)which mentioned an Advanced Persistent Threat (APT) tool for OPC-UA. See the OPC Foundation response.

Tech advisory link

Update Ignition to 8.1.0 or greater. On April 12, 2022 the Cybersecurity and Infrastructure Security Agency (CISA) published an Industrial Control Systems (ICS) Advisory ICSA-22-102-03 disclosing an Ignition security vulnerability that was patched in version 8.1.10.

The vulnerability enables an attack allowing placement of arbitrary files on the host OS of an Ignition Gateway if a privileged Ignition user restores a maliciously crafted backup file.

Tech advisory link

Informational. Inductive Automation completed a full audit of direct and transitive dependencies in Ignition to confirm that log4j vulnerabilities to not apply to any supported or unsupported release of Ignition, and as such it is not vulnerable to the RCE outlined in CVE-2021-44228 or Chainsaw GUI vulnerabilities associated with CVE-2022-23307. This includes LTS versions 7.9 and 8.1, as well as all past and non-LTS versions.

Tech advisory link.

Informational. Regression disclosure. Installing Ignition 8.1.8 resets network ports to default values (http=8080, http=8043, Gateway Network=8060). This build was promptly taken down and updated as 8.1.9. Quality assurance remedial actions were taken.

Tech advisory link.

Informational. Regression disclosure. Installing Ignition 8.1.6 introduces a problem when importing User Defined Type (UDT) tags. This build was promptly taken down and updated as 8.1.7. Quality assurance remedial actions were taken.

Tech advisory link.