SRC-2022-0014 : Inductive Automation Ignition ScriptInvoke Remote Code Execution Vulnerability

CVE ID: CVE-2022-36126

CVSS Score: 7.2, (/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Affected Vendors: Inductive

Affected Products: Inductive Automation Ignition

Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within ScriptInvoke function.

The issue results from the unsafe use of user supplied python script code that is compiled and executed at runtime.

Vendor Response:

Inductive has issued an update to correct this vulnerability. More details can be found at: https://support.inductiveautomation.com/hc/en-us/articles/7625759776653

Disclosure Timeline:

• 2022-04-22 – Sent to Inductive PSIRT

• 2022-05-12 – Coordinated public release of advisory

Proof of Concept: https://github.com/sourceincite/randy

Credit: This vulnerability was discovered by Chris Anastasio (muffin) and Steven Seeley (mr_me) of Incite Team