On April 19-21, 2022, Trend Micro’s Zero Day Initiative (ZDI) brought their Pwn2Own competition back to the ICS world for a second time at the S4x22 conference. Inductive Automation eagerly participated after a successful ICS Pwn2Own at S4x20.
Ignition was registered in the Control Server category as one of 10 products selected as competition attack targets. Rules of engagement dictated that attempts be launched against the target’s exposed network services or by opening default file types from the contestant’s laptop. An entry is deemed successful by resulting in arbitrary code execution.
The Pwn2Own competition resulted in 32 entries registered by 11 contestants. Of 6 entries targeting Ignition, 4 successfully demonstrated unique exploits, 1 was a duplicate, and 1 failed to be successfully demonstrated in the time allotted. All 6 entries targeting Ignition were responsibly disclosed to Inductive Automation. One additional finding was disclosed and remediated by researchers who were unable to compete in this year’s competition.
Inductive Automation thanks the ZDI and all participating researchers. As a part of the Ignition Secure Development Lifecycle, each disclosure is thoroughly analyzed, internally reproduced, and addressed expeditiously. Resolution is prioritized by risk with all confirmed high-severity vulnerabilities prioritized for immediate remediation.
This report summarizes the Ignition vulnerabilities associated with Pwn2Own 2022 including actions taken and future plans. All critical vulnerabilities leading to unauthenticated Remote Code Execution (RCE) have been patched in Ignition 8.1.17 and 7.9.20. Secondary vulnerabilities requiring privileged access have either been patched or are acknowledged tickets. Lessons learned feed customer security guidance for environment configuration including Defense in Depth strategies as outlined in the Ignition Security Hardening Guide. Inductive Automation recommends that all customers keep Ignition current to protect their systems from known vulnerabilities.
Gateway Web Interface Authentication Bypass + Gateway Network Insecure Deserialization
The first entry targeting Ignition was attempted by @_s_n_t from @pentestltd on the first day of the competition. The contestant was able to successfully demonstrate an unauthenticated Remote Code Execution (RCE) attack through a chain of vulnerabilities. The vulnerability applies to the Ignition Gateway (server).
The first in the chain of vulnerabilities is assessed as a critical privilege escalation vulnerability due to granting an attacker privileged access to the Ignition Gateway Config Page and has been fully patched in version 8.1.17 and 7.9.20. It involved bypassing the authentication layer which protects the Gateway Web Interface (Home, Status, and Config pages).
The second in the chain of vulnerabilities exploited a deserialization weakness from a trusted Gateway Network connection. Taking advantage of the previous privilege escalation attack, the contestant was able to take advantage of the deserialization vulnerability by crafting a special payload which allowed arbitrary code execution on the target Gateway.
The second vulnerability was assessed at the moderate severity level. It is interesting, but not critical, due to the fact that an attacker with privileged access has many legitimate options to execute arbitrary code by design. The crafted payload executes code in a way that was not designed, but effectively requires code execution privileges to carry out. Inductive Automation acknowledges the issue, and is looking into secure design patterns to address the larger class of vulnerability.
Inductive Automation recommends that all customers upgrade to 8.1.17 / 7.9.20 or greater and harden their Gateway Network configuration by requiring certificate-based SSL / TLS and Two-Way Authentication as outlined in the Ignition Security Hardening Guide.
Below is a table which maps these vulnerabilities to their various identifiers:
Description |
ZDI-CAN |
Ignition Ticket(s) |
CVE ID |
Gateway Web Interface Authentication Bypass |
17211 |
IGN-5909 (8.1) IGN-5920 (7.9) |
CVE-2022-35869 |
Gateway Network Insecure Deserialization |
17265 |
IGN-6308 (Target Version TBA) |
CVE-2022-35870 |
Designer / Vision Client Authentication Bypass using Vulnerable AD SSO Implementation
The second entry targeting Ignition was attempted by Daan Keuper (@daankeuper) and Thijs Alkemade (@xnyhps) from Computest Sector 7 (@sector7_nl) on the first day of the competition. The contestants were able to successfully demonstrate an unauthenticated RCE attack through a chain of vulnerabilities. The vulnerability applies to Ignition Vision and Designer clients when “classic” Active Directory authentication is configured with Single Sign-On enabled.
“Single Sign-On” (SSO) is an optional convenience feature supporting all classic “Active Directory” (AD) authentication strategies. User credentials are borrowed from the local Windows session to log on to an Ignition environment without prompting for username and password.
The first vulnerability in the chain is assessed as a critical privilege escalation vulnerability due to granting an attacker privileged access to the Ignition Designer. The exploit involved bypassing the authentication layer associated with establishing Designer and Vision sessions by exploiting a key weakness in the AD SSO implementation, allowing authentication as any user. The technology employed is no longer considered safe from modern threats. The fix is to disable the SSO feature, meaning that Ignition users will be prompted for a username and password each time they run the Designer or Vision Client. Customers upgrading to 8.1.17 / 7.9.20 or greater will notice that the “SSO Enabled” setting on all AD User Source Profile configuration pages will now be disabled and unavailable regardless of prior configuration. A manual workaround is available upon request, but strongly discouraged.
The second vulnerability in the chain involved invoking a privileged Gateway web service to execute arbitrary Jython code, which the contestants used to remotely execute code. This vulnerability is assessed as moderate due to requiring privileged access to perform. The vulnerability has been patched in 8.1.17 and 7.9.20. It is assessed that motivated attackers could find other ways to execute code given the credentials granted from the first successful privilege escalation attack.
This attack highlights the importance of limiting access to the Designer and Gateway Web Interface based on the Principle of Least Privilege. As a general rule: entrust users with Designer and Gateway Web Interface privileges at the same permission level as the service account executing the Ignition process.
Inductive Automation recommends that all customers upgrade to the latest version of Ignition to protect themselves from known vulnerabilities and harden their environment per Ignition Security Hardening Guide recommendations.
Below is a table which maps the AD SSO implementation vulnerability to its various identifiers:
Description |
ZDI-CAN |
Ignition Ticket(s) |
CVE ID |
Designer / Vision Client Authentication Bypass using Vulnerable AD SSO Implementation |
17206 |
IGN-5922 (8.1) IGN-5924 (7.9) |
CVE-2022-35871 |
Exchange Package Import – Unrestricted Execution of Jython Scripts
The third entry targeting Ignition was attempted by a contestant using the handle “20urdjk” on the first day of the competition. The contestant was able to successfully demonstrate an authenticated RCE attack.
In order to pull off the attack, the contestant crafted an exchange package which contained a project with embedded code. By design, once a privileged user imports an exchange package, the project may include scripts.
Similar to CVE-2022-1264, since this vulnerability requires authentication of a user with config page privileges, this vulnerability is assessed at a moderate severity. Ignition is an Industrial Application Development Platform, therefore it will always be possible, by design, to remotely execute code on the Gateway given appropriate privileges.
Inductive Automation intends to add an extra warning before a user imports external packages (to be targeted in a future release). The warning will make it clear to the user that they are about to import resources which may contain arbitrary scripts which will be executed during and/or after the import process, therefore it is critical that the user trusts the origin and the author of the exchange package and has done their due diligence in inspecting and trusting its contents prior to the import. IA is also researching other safety features to help safeguard privileged and legitimate users from importing potentially malicious resources. For now, privileged users must do their own due diligence in understanding the risk of external content that they import.
Below is a table which maps the exchange import vulnerability to its various identifiers:
Description |
ZDI-CAN |
Ignition Ticket(s) |
CVE ID |
Exchange Package Import - Unrestricted Execution of Jython Scripts |
16949 |
IGN-6307 (Target Version TBA) |
CVE-2022-35873 |
Project Import – Unrestricted Execution of Jython Scripts
The fourth entry targeting Ignition was attempted by the Flashback Team of Pedro Ribeiro (@pedrib1337) and Radek Domanski (@RabbitPro) on the first day of the competition. The contestants were able to successfully demonstrate an authenticated RCE attack, though ZDI deemed it a duplicate, likely due to the fact that the exchange package import vulnerability described above was disclosed before this one and both vulnerabilities use a similar attack vector.
In order to pull off the attack, the contestants crafted a project export containing malicious scripts. By design, a privileged user may import a project containing scripts.
This vulnerability is assessed at a moderate severity due to requiring authentication and authorization of Designer privilege. Ignition is an Industrial Application Development Platform, therefore it will always be possible to remotely execute code on the Gateway with appropriate privileges by design.
Inductive Automation will add an extra warning before a privileged user imports external project resources (to be targeted in a future release). IA is also researching other safety features to help safeguard privileged and legitimate users from importing potentially malicious resources. For now, privileged users must do their own due diligence in understanding what they are about to import into the Gateway or Designer before they commit to importing it.
Project Import – Insecure Deserialization of Project Resources
The fifth entry targeting Ignition was attempted by Piotr Bazydło (@chudyPB) on the second day of the competition. The contestant was able to successfully demonstrate an authenticated RCE attack using a chain of vulnerabilities.
The first vulnerability in the chain involved taking advantage of a weakness in the deserialization of specific project resources.
The second vulnerability in the chain involved is very similar to the previous two entries: the contestant embedded malicious project resources as part of a project import.
Since the user must have Config Page or Designer privileges to pull off such an attack, this vulnerability is assessed at a moderate severity. IA plans to implement a stronger warning before users import a project, and intends to research other mechanisms to safeguard privileged and legitimate users from importing items which may execute potentially malicious scripts.
Below is a table which maps the chain of vulnerabilities to its various identifiers:
Description |
ZDI-CAN |
Ignition Ticket(s) |
CVE ID |
Project Import - Insecure Deserialization of Project Resources |
17115 |
IGN-6307 (Target Version TBA) |
CVE-2022-35872 |
Designer / Vision Client Session Hijacking Using Weak Session ID Generator
The sixth entry targeting Ignition was attempted by the Incite Team of Steven Seeley (@steventseeley) and Chris Anastasio (@mufinnnnnnn) on the second day of the competition. The contestants were unable to demonstrate their unauthenticated RCE attack in the 5 minutes allotted. However, the researchers responsibly disclosed their findings directly to IA and a zero day vulnerability was confirmed.
The vulnerability involves a weakness in how Designer and Vision Client Session IDs were generated. The researchers were able to exploit this weakness to determine which session IDs were generated in the past and were able to then hijack sessions assigned to these IDs. Once the session was hijacked, the RCE was performed using a legacy Gateway RPC function “ScriptInvoke”. This function normally requires authentication, but this authentication could be bypassed by hijacking another user’s authenticated session using the earlier mentioned vulnerability.
Inductive Automation determined the root cause of the vulnerability and patched the code the day after it was disclosed. Since both 7.9 and 8.1 LTS versions were affected, both versions received the patch. It is recommended that all users upgrade to version 8.1.17 / 7.9.20 or greater ASAP.
Below is a table which maps the session hijacking vulnerability to its various identifiers:
Description |
ZDI-CAN |
Ignition Ticket(s) |
CVE ID |
Designer / Vision Client Session Hijacking using Weak Session ID Generator |
N/A |
IGN-5991 (8.1) IGN-5992 (7.9) |
CVE-2022-35890 |
RCE using ScriptInvoke |
N/A |
IGN-5934 (8.1) IGN-5935 (7.9) |
CVE-2022-36126 |
Gateway Network Authentication Bypass + Gateway Network Insecure Deserialization
Security researchers who go by the handles “nxhoang99”, “q5ca”, and “rskvp93” from VcsLab of Viettel Cyber Security were unable to participate in Pwn2Own this year, but they prepared an entry and responsibly disclosed it directly to IA after the Pwn2Own competition ended. IA confirmed the existence of one new zero day vulnerability.
The new zero day vulnerability involved a weakness in the Gateway Network authentication layer leading to an unauthenticated remote code execution that has been patched in Ignition version 8.1.17 and 7.9.20.
Inductive Automation recommends that all customers upgrade to 8.1.17 / 7.9.20 or greater and harden their Gateway Network configuration by requiring certificate-based SSL / TLS and Two-Way Authentication as outlined in the Ignition Security Hardening Guide.
Below is a table which maps the Gateway Network Authentication Bypass vulnerability to its various identifiers:
Description |
ZDI-CAN |
Ignition Ticket(s) |
CVE ID |
Gateway Network Authentication Bypass |
N/A |
IGN-5941 (8.1) IGN-5945 (7.9) |
TBD |
Upgrade Ignition:
Additional Information:
About ZDI:
https://www.zerodayinitiative.com/about/
Pwn2Own Results:
https://www.zerodayinitiative.com/blog/2022/4/14/pwn2own-miami-2022-results
Comments
0 comments
Article is closed for comments.