SRC-2022-0014 : Inductive Automation Ignition ScriptInvoke Remote Code Execution Vulnerability
CVE ID: CVE-2022-36126
CVSS Score: 7.2, (/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Affected Vendors: Inductive
Affected Products: Inductive Automation Ignition
Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within ScriptInvoke function.
The issue results from the unsafe use of user supplied python script code that is compiled and executed at runtime.
Inductive has issued an update to correct this vulnerability. More details can be found at: https://support.inductiveautomation.com/hc/en-us/articles/7625759776653
2022-04-22 – Sent to Inductive PSIRT
2022-05-12 – Coordinated public release of advisory
Proof of Concept: https://github.com/sourceincite/randy
Credit: This vulnerability was discovered by Chris Anastasio (muffin) and Steven Seeley (mr_me) of Incite Team