Again, this year at the S4 security conference (S4x22) Trend Micro’s Zero Day Initiative hosted an ethical hacker competition called Pwn2Own (pronounced pōn to own). With prizes in the tens of thousands of dollars, the best security researchers and white-hat hackers match skills to discover Zero Day vulnerabilities in industrial control software.
Inductive Automation’s Ignition product was one of ten products chosen and put simply was hacked. Teams were able to exploit bugs by using missing authentication and a file upload vulnerability to conduct Remote Code Execution on the Ignition servers.
Inductive Automation was able to analyze and repair the exposures and rapidly push-out updates. More on that in the next section.
These bugs are not trivial. The teams spend up to three months analyzing the product’s attack surface.
Actions and/or Recommendations
Inductive Automation recommends that users plan updates to install fixes in version 8.1.17. Also, for version
7.9 users the fixes have been backported and are available in version 7.9.20.
On or around July 12, 2022, Inductive Automation will publish a Technical Advisory describing the vulnerabilities.
Until then, begin to plan the Ignition upgrade to coincide with other maintenance activities or the next best opportunity. Continue to maintain mitigating controls and a secure and hardened network perimeter.
About REAL Matters and Mangan Inc.
REAL Matters advisories are published to communicate cybersecurity threats and risks within the Operational Technology (OT) environment and where Critical Infrastructure vulnerabilities are identified. The purpose of this newsletter is to inform, propose suggested approaches to mitigate the risk as well as provide feedback on how Mangan Cybersecurity is approaching the issue(s) addressed.
Mangan Inc. is a nationally-recognized Specialty Engineering, Automation, and Integration company, providing a full-range of services to the Oil & Gas, Refining, Pipeline, Chemicals, and Life Sciences Industries. Established in Long Beach, California in 1990, Mangan’s multiple office locations include sites in California, Georgia, New Hampshire, North Carolina, Texas, and Louisiana. Mangan’s 350+ employee-owners bring expertise, innovation, and safety as their core mission to some of the largest companies in the world.