5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.8 High
AI Score
Confidence
High
0.845 High
EPSS
Percentile
98.5%
This updated advisory is a follow-up to the original advisory titled ICSA-20-147-01 Inductive Automation Ignition (Update A) that was published June 2, 2020, on the ICS webpage on us-cert.gov.
Successful exploitation of these vulnerabilities could allow an attacker to obtain sensitive information and perform remote code execution with SYSTEM privileges.
The following versions of Inductive Automation Ignition are affected:
The affected product lacks proper authentication required to query the server.
CVE-2020-12004 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
The affected product lacks proper validation of user-supplied data, which can result in deserialization of untrusted data.
CVE-2020-10644 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The affected product is vulnerable to the handling of serialized data. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data.
CVE-2020-12000 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
--------- Begin Update B Part 1 of 2 ---------
Sensitive information can be obtained through the handling of serialized data. The issue results from the lack of proper authentication required to query the server.
CVE-2020-14479 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
--------- End Update B Part 1 of 2 ---------
Pedro Ribeiro, Radek Domanski, Chris Anastasio (muffin), and Steven Seeley (mr_me) working with Trend Microβs Zero Day Initiative reported these vulnerabilities to CISA.
Inductive Automation recommends upgrading the Ignition software to v8.0.10
For those running v7.9.x, it is recommended to upgrade the Ignition software to v7.9.14
--------- Begin Update B Part 2 of 2 ---------
Please note CVE-2020-14479 does not have a fix in place. Induction Automation plans to correct this vulnerability in future product versions.
It is recommended to restrict interaction with the service to trusted machines. Only clients and servers with a legitimate procedural relationship should be permitted to communicate with the service. This can be done in various ways, most notably with firewall rules/allow listing.
For more information regarding software and patches, please refer to the specified version in Inductive Automationβs release notes.
--------- End Update B Part 2 of 2 ---------
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on us-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on us-cert.gov in the Technical Information Paper, ICS-TIP-12-146-01BβTargeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10644
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12000
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12004
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14479
cwe.mitre.org/data/definitions/306.html
cwe.mitre.org/data/definitions/306.html
cwe.mitre.org/data/definitions/502.html
cwe.mitre.org/data/definitions/502.html
inductiveautomation.com/downloads/ignition/8.0.13
inductiveautomation.com/downloads/releasenotes/7.9.14
inductiveautomation.com/downloads/releasenotes/8.0.10
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Inductive%20Automation%20Ignition%20%28Update%20B%29+https://www.cisa.gov/news-events/ics-advisories/icsa-20-147-01
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-20-147-01&title=Inductive%20Automation%20Ignition%20%28Update%20B%29
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-20-147-01
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-20-147-01
www.us-cert.gov/ics
www.us-cert.gov/ics
www.us-cert.gov/ics/alerts/ICS-ALERT-10-301-01
www.us-cert.gov/ics/recommended-practices
www.us-cert.gov/ics/tips/ICS-TIP-12-146-01B
www.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Inductive%20Automation%20Ignition%20%28Update%20B%29&body=www.cisa.gov/news-events/ics-advisories/icsa-20-147-01
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.8 High
AI Score
Confidence
High
0.845 High
EPSS
Percentile
98.5%