Researcher Exposes Inductive Automation Ignition Vulnerabilities: CVE-2023-39475 & 39476

In January 2010, Inductive Automation introduced the Ignition platform, an integrated software solution for SCADA systems. Built on a robust SQL Database-centric architecture, Ignition transformed the SCADA landscape with its cross-platform web-based deployment through Java Web Start technology. Comprising the Ignition Gateway, the Designer, and runtime clients, it offers modules for Real-Time Status Control, Alarming, Reporting, Data Acquisition, Scripting, Scheduling, MES, and Mobile support. However, beneath its technological prowess, two critical vulnerabilities lurk, posing a formidable threat to the integrity of the system.

The DoubleTrouble: CVE-2023-39475 and CVE-2023-39476

Security researcher Rocco Calvi brings to light the exploitation of two deserialization vulnerabilities in Ignition – CVE-2023-39475 and CVE-2023-39476. With a CVSS score of 9.8, these vulnerabilities allow remote attackers to execute arbitrary code on affected systems, bypassing any need for authentication. This breach could lead to complete system compromise, data theft, and unauthorized control.

DoubleTrouble: A Proof-of-Concept

Calvi’s contribution goes beyond mere identification. He published a repository on GitHub named ‘DoubleTrouble,’ offering an in-depth look at these vulnerabilities and their exploitation methods. Serving as a proof-of-concept, DoubleTrouble not only illustrates the exploitation process but also provides valuable insights into the mechanics of these vulnerabilities. It specifically targets Ignition versions 8.1.22 to 8.1.24, confirming their vulnerability.

Affected Versions

The affected versions of Inductive Automation’s Ignition software are as follows:

• Version 8.1.22
• Version 8.1.23
• Version 8.1.24

The root cause of CVE-2023-39475 and CVE-2023-39476

At the heart of these vulnerabilities lie the JavaSerializationCodec and ParameterVersionJavaSerializationCodec classes in Ignition version 8.1.24 and below. The specific flaws exist within the decode methods of these classes, where there is a glaring absence of proper input validation on untrusted data. This oversight provides attackers with an opening to inject malicious code into the targeted system, which then executes with NT AUTHORITY/SYSTEM privileges – a virtual open door to the system’s control center.

Inductive Automation’s Response

Awareness of these vulnerabilities has reached Inductive Automation, and a clarion call has been made to users of Ignition version 8.1.24 and below. The recommendation is clear and urgent: update to the latest version as soon as possible to shield against potential exploitation. The proof-of-concept exploit developed with the RCE gadget serves as a demonstration of how these vulnerabilities can be weaponized in real-world scenarios.

The revelation of these vulnerabilities in the Ignition software serves as a stark reminder of the constant vigilance required in the realm of cybersecurity. It highlights the importance of regular updates and proactive security measures. For systems as critical as SCADA, where control and data integrity are paramount, addressing such vulnerabilities is not just a matter of maintenance; it’s a necessity for survival in the treacherous waters of cyberspace.