Inductive Automation returned to Florida once again to pit Ignition against some of the best security researchers in the world. Pwn2Own Miami — held during the S4x23 Conference and hosted by Zero Day Initiative (ZDI) — is a white-hat hacking competition focused on ICS/SCADA software with the intention of increasing security awareness through the ethical disclosure of vulnerabilities.
We take security seriously and wanted to let the Ignition community know how we are responding to the recently discovered security vulnerabilities in Ignition.
Why Get Pwned?
We believe that events like Pwn2Own are vital not only to our company and our software, but also to the Ignition community at large. By offering cash prizes, Pwn2Own incentivizes the most creative researchers and white-hat hackers to stretch their abilities (this year, there was $125,000 in prize money allotted for Ignition alone). As a company that is proactive about security, we asked to be tested this year and were active participants, sending IA employees to Florida to be present at the competition. This is because Pwn2Own offers a safe space to address previously unknown vulnerabilities before any potential bad actors can discover and exploit them.
The 2023 edition of Pwn2Own Miami was the third time Ignition has been involved in the competition. This year, there were four categories: OPC UA Server, OPC UA Client, Data Gateway, and Edge Systems. These categories align with the changing state of the ICS industry and the most current threats to SCADA systems.
What the Researchers Found
Unlike previous years where Ignition was entered into the Control Server category, this time the focus was on OPC UA, both at the server and client level. Ignition was targeted with three kinds of attacks: Denial of Service (DoS), Remote Code Execution (RCE), and Bypass Trusted Application Check. Two teams — Team82 (Claroty) and 20urdjk "Urge" — discovered three vulnerabilities (two unique) in the OPC UA Client and OPC UA Server categories.
Urge successfully executed a RCE attack on Ignition. This same attack was repeated the next day by Claroty. This vulnerability — a sort of “inverse RCE” — involved an authenticated user connecting to an untrusted, malicious OPC UA server. Once connected, the attacker could execute code on the gateway remotely as a user. In order to succeed, this attack required an authenticated user that already possessed config privileges on the Ignition gateway. Since the researchers were able to remotely execute code on the gateway, this RCE vulnerability was considered severe and we have already addressed it in a forthcoming version of Ignition (see below for more details).
Claroty was also able to execute a successful DoS attack on Ignition. This attack exploited the relationship between a gateway with pre-established trust to a client. While successful, this vulnerability hinged on a trusted client connection and is therefore considered less significant than the RCE attack.
How We’re Responding
First and foremost, we would like to congratulate both the Urge and Claroty teams, the latter of whom won the overall competition and the “Masters of Pwn” title. We appreciate the hard work these researchers put into finding vulnerabilities so that we can fix them. We would also like to thank S4, ZDI, and Trend Micro for hosting and funding Pwn2Own Miami and letting us participate.
Maintaining top-of-the-line security requires constant improvement and Pwn2Own acts as a great way to test our current security features while revealing areas for improvement. It’s worth noting that ZDI commended Inductive Automation for having the fastest response to the vulnerabilities found during the competition.
Additionally, our response is a good demonstration of our Coordinated Vulnerability Disclosure (CVD) process. Our method for testing, responding, and notifying the Ignition community when vulnerabilities are discovered is the same whether “in the wild” or in a competition format.
What You Can Do Now
As always, we recommend that all Ignition users stay up-to-date with the latest version of Ignition. The security update fixing the RCE vulnerability will be included in Ignition 8.1.26, which is scheduled for stable release on March 21st (the nightly build is available now). We will also release a technical advisory 90 days after the initial disclosure that will go into further details about the researchers’ findings.
We also encourage you to subscribe to the Security and Trust Portal to stay informed about the latest Ignition security information and updates.
Full Pwn2Own Miami 2023 Results: