Inductive Automation Ignition (Update B)

Act NowCVSS 9.8ICS-CERT ICSA-20-147-01May 26, 2020

Inductive Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Inductive Automation Ignition Gateway versions before 8.0.10 and 7.9.14 contain an unsafe deserialization vulnerability (CWE-502) that allows remote attackers without authentication to execute arbitrary code on the Gateway host. This affects all Ignition 8.x and 7.x Gateway installations. The vulnerability impacts the integrity, confidentiality, and availability of the automation system. CVE-2020-14479 does not have a fix available at this time; Inductive Automation plans to address it in future versions.

What this means

What could happen

An attacker with network access to an Ignition Gateway could execute arbitrary code and completely compromise the system, potentially disrupting process monitoring, control logic execution, and data logging in your automation infrastructure.

Who's at risk

Manufacturing facilities, utilities, and any organization using Inductive Automation Ignition for process visualization, data aggregation, and SCADA control should be concerned. This affects both Ignition 7 and 8 Gateway installations used for supervisory control and monitoring of industrial processes.

How it could be exploited

An attacker connects to the unpatched Ignition Gateway service from the network (no authentication required) and sends a specially crafted request that triggers unsafe deserialization (CWE-502), allowing arbitrary code execution on the Gateway host.

Prerequisites

Network access to the Ignition Gateway service port
No credentials required
Ignition 8.x running version before 8.0.10 OR Ignition 7.x running version before 7.9.14

Remotely exploitableNo authentication requiredLow complexity attackHigh EPSS score (20.9%)Affects control system infrastructureUnsafe deserialization vulnerability

Exploitability

Likely to be exploited — EPSS score 20.9%

Metasploit module available — weaponized exploitView module ↗

Affected products (2)

1 with fix1 EOL

ProductAffected VersionsFix Status

Ignition 8 Gateway:< 8.0.108.0.10

Ignition 7 Gateway:< 7.9.14No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDImplement firewall rules to restrict network access to the Ignition Gateway service to only known client and server machines that require legitimate communication

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Ignition 8.x installations to version 8.0.10 or later

HOTFIXUpgrade Ignition 7.x installations to version 7.9.14 or later

Mitigations - no patch available

0/2

Ignition 7 Gateway: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate Ignition Gateway systems from the business network and the Internet using network segmentation

HARDENINGIf remote access to Ignition is needed, use a VPN with secure configuration and ensure it is kept current

CVEs (4)

CVE-2020-12004 CVE-2020-10644 CVE-2020-12000 CVE-2020-14479

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c1022b05-607d-4ce6-a063-a6dff31ea9d7

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.