Welcome to the Inductive Automation Trust Portal
Thousands of companies worldwide depend on Ignition every day
We are working to provide external versions of our policies. Please contact us if specific policies are needed.
Trust Center Updates
Inductive Automation Trust Center UpdatesGeneralCopy link
As an update to our Technical Advisory on 8 August 2023, Inductive Automation is actively addressing vulnerabilities disclosed earlier this month as a top priority. ZDI-CAN-17571 (XXE attack) will be fixed in Ignition 8.1.32 (Sep 12th release). ZDI-CAN-20499 (OPC-UA resource exhaustion) is on track for 8.1.33 (Oct 17th). We completed design work including threat modeling and attack surface analysis and are working on implementation work addressing Java deserialization vulnerabilities. Additional reports have been submitted to IA from security researchers following the ZDI disclosure this month. These are being verified in detail and are believed to be variants of existing submissions that will be addressed by upcoming updates. These vulnerabilities can be mitigated by following best practices from the Ignition Security Hardening Guide, especially related to proper network segmentation, keeping the environment up to date, and working with trusted files and systems.
Today, the Zero Day Initiative (ZDI) published six security advisories related to Ignition 8.1. We are actively investigating and working on fixes. You can read our response to each of these advisories and our recommendations for mitigation at: https://support.inductiveautomation.com/hc/en-us/articles/18333051904653--Tech-Advisory-Regarding-the-Security-Advisories-Published-by-the-ZDI-on-8-August-2023
Trust Center Updates are the primary public information conduit for Coordinated Vulnerability Disclosure (CVD) with Ignition. Please subscribe for email updates. Posts and associated emails summarize Ignition-related vulnerabilities, issues, impact, and recommendations. Technical Advisory links will often include additional information.
Inductive Automation takes pride in significant investment in stability, security, quality, and privacy throughout the entire Ignition secure Software Development Lifecycle (SDLC) and associated processes. This includes a commitment to prioritize resolution, proactively seek vulnerabilities, and be transparent with our outstanding community. We love hiring regular third-party penetration testing and participating in the S4x Pwn2Own competition each year!
Recommendations: Inductive Automation provides resources such as the Ignition Security Hardening Guide and the Ignition Server Sizing and Architecture Guide. The online user manual, Inductive University, and forum, also provides free resources. Paid training is also available.
Inductive Automation recommends partnering with one of the thousands of System Integrators who can help navigate the process of securing and assuring Ignition within the customer environment throughout the system lifecycle in accordance with business requirements.
Reporting and communication: Inductive Automation welcomes all feedback, especially on security-related matters. The best email address is: firstname.lastname@example.org, using the Inductive Automation public PGP key if encrypted communication is needed. Support, Account Representatives, and Sales Engineers are also available to help.
Ignition is back to ICS Pwn2Own S4x23 Miami 14-16 Feb. 2023GeneralCopy link
Inductive Automation fixed an RCE vulnerability disclosed by the Zero Day Initiative (ZDI), independently exploited by Team82 (Claroty) and 20urdjk "Urge" security researchers as part of the ICS Pwn2own 2023 ethical hacking competition. The update will be included in 8.1.26, available in the "nightly" build on Feb 17th.
Great work from ZDI, Claroty, "Urge", and the Inductive Automation Development and QA teams!!!
Announcement. Inductive Automation will be back to compete in the ICS/SCADA-themed Pwn2Own event at S4x in Miami for the “OPC UA Server” and “OPC UA Client” categories. Attack Scenarios are: Denial of Service (DOS), Remote Code Execution (RCE), Credential Theft, and Bypass Trusted Application Check. Other categories include “Data Gateway” and “Edge”.
Best of luck to all participants! Updates to follow as vulnerabilities are found and fixed!
Session token appears to exist in Ignition login URL. False PositiveGeneralCopy link
False positive. The best practice configuration recommendation is to enforce https (TLS 1.2+) with genuine certificates in accordance with the Ignition Security Hardening Guide, preferably enabling HSTS.
Background. Some cybersecurity scanning tools flag on a URL string like "idp/default/authn/login?token=xxxx", assuming that the token is a session identifier. It is not. The token is a cryptographic nonce with a short "time to live" value. Ignition uses the token to orchestrate the handoff between the internal Ignition Identity Provider's OpenID Connect authorization endpoint and the authentication workflow. This is separate from a possible nonce variable that might also appear in the same URL string.
The token is bound to the user's session which is tracked by an HTTP cookie passed in the HTTP headers. The session cookie is protected when Ignition is properly configured to use https. Therefore, it follows that as long as a user's session is secure, associated tokens will also be secure, even if they are leaked, since an attacker would have to know the session ID in order to use the token.
Ignition is not impacted by OpenSSL vulnerabilitiesIncidentsCopy link
After a comprehensive search for usage of the offending libraries, Inductive Automation has determined that Ignition has no reliance on, and found no evidence of OpenSSL 3.0.x.
Regarding CVE-2022-42889 (Apache Commons Text)IncidentsCopy link
Informational. Recommend upgrading to Ignition 8.1.23+. Ignition 8 versions before 8.1.23 are bundled with a vulnerable version of the Apache Commons Text library. However, Inductive Automation assesses the vulnerability at “low risk” based on the fact that Ignition does not invoke any of the vulnerable functions. In other words, a local cybersecurity scanning tool+ may note the existence of the binary, but associated exploits are unlikely to work.
Version 8.1.23+ updates the dependency to 1.10.0, which fixes the CVE.
Ignition Embedded SVG problem from 7.9.x (fixed 8.1.23)GeneralCopy link
Informational. Low impact. Upgrade to 8.1.23+ to fix. Ignition 8 versions before 8.1.23 do not properly process SVG images stored in pre-release (Alpha and Beta) versions of 8.x (prior to April 10, 2019).
The tech advisory provides upgrade instructions.
Ignition Linux ARMv6 and ARMv7 compatibility (8.1.22 update)GeneralCopy link
Informational. Ignition version 8.1.22, released 11/1/2022, includes an updated version of its Internal Database (SQLite) that requires a newer version of GLIBC on Linux systems running on ARMv6 and ARMv7 hardware.
The minimum required GLIBC version on ARMv6 and ARMv7 hardware will increase from v2.4 to v2.28. Consequently, some older operating systems that ship with older versions of GLIBC will be unable to run newer versions of Ignition.
The minimum required GLIBC version on x86-64 hardware remains v2.3.
Known affected: Debian 9 and its derivatives such as Raspbian 9 Debian 9 reached EOL status on June 30, 2022
Ignition CVE-2022-1704 (fixed 7.9.21 and 8.1.8)IncidentsCopy link
Update Ignition to 8.1.8 or greater. On July 26, 2022 the Cybersecurity and Infrastructure Security Agency (CISA) published an Industrial Control Systems (ICS) Advisory ICSA-22-207-01 disclosing Ignition security vulnerability CVE-2022-1704 that was patched in version 8.1.8.
The vulnerability enables an attacker to compromise an Ignition Gateway if a privileged Ignition user restores a maliciously crafted backup file.
Microsoft SQL Server Database compatibility. TLS v1.0 and v1.1 no longer supported by default. Recommend TLS 1.2+.GeneralCopy link
Configure Ignition Gateway MS SQL Server connections to use TLS 1.2 or 1.3. A Java 8 (8u291+) and corresponding Java 11 (11.0.11+) security update disables the use of TLS 1.0 and 1.1, which is a recommended cybersecurity best practice. The recommended fix is to update MS SQL Server database connections on Ignition gateways (not individual Vision or Perspective runtime clients) to TLS 1.2 or 1.3. This might require configuration changes on the database server(s). Seek support from IT departments as applicable.
The IA Tech advisory includes instructions including links from Microsoft. Alternatively, it describes how to configure Java to connect using less secure TLS 1.0 or 1.1 (not recommended).
Ignition 2022 Pwn2Own Vulnerabilities (fixed 7.9.20 and 8.1.17).GeneralCopy link
Update Ignition to 8.1.17 or greater. On April 19-21, 2022, Trend Micro’s Zero Day Initiative (ZDI) brought their Pwn2Own competition back to the ICS world for a second time at the S4x22 conference. Inductive Automation eagerly participated after a successful ICS Pwn2Own at S4x20.
The Pwn2Own competition resulted in 32 entries registered by 11 contestants. Of 6 entries targeting Ignition, 4 successfully demonstrated unique exploits, 1 was a duplicate, and 1 failed to be successfully demonstrated in the time allotted. All 6 entries targeting Ignition were responsibly disclosed to Inductive Automation. One additional finding was separately disclosed by researchers who were unable to compete.
Inductive Automation thanks the ZDI and all participating researchers.
See tech advisory for detailed information.
Active Directory SSO Disabled for 8.1.17 & 7.9.20. Feature no longer safe.GeneralCopy link
Informational. Ignition no longer supports Single Sign On (SSO) with native Active Directory user source profiles (LDAP based). There will not be a “fix” using this technology set. The implication is that a user must separately log on to Windows and Ignition environments (Designer, Gateway, and Clients). Inductive Automation recommends integration with Identity Providers using the modern OpenID Connect or SAML protocols. For Microsoft environments, this could be AzureAD or many other options.
CISA National Cyber Awareness System (NCAS) Alert AA22-103A. Informational.GeneralCopy link
No known Ignition impact. On April 13, 2022 the Cybersecurity and Infrastructure Security Agency (CISA) published National Cyber Awareness System (NCAS) Alert ICSA-22-102-03 (pdf Report)which mentioned an Advanced Persistent Threat (APT) tool for OPC-UA. See the OPC Foundation response.
Ignition CVE-2022-1264 (patched 8.1.0)IncidentsCopy link
Update Ignition to 8.1.0 or greater. On April 12, 2022 the Cybersecurity and Infrastructure Security Agency (CISA) published an Industrial Control Systems (ICS) Advisory ICSA-22-102-03 disclosing an Ignition security vulnerability that was patched in version 8.1.10.
The vulnerability enables an attack allowing placement of arbitrary files on the host OS of an Ignition Gateway if a privileged Ignition user restores a maliciously crafted backup file.
Ignition not affected by Log4j vulnerability (CVE-2021-44228).IncidentsCopy link
Informational. Inductive Automation completed a full audit of direct and transitive dependencies in Ignition to confirm that log4j vulnerabilities to not apply to any supported or unsupported release of Ignition, and as such it is not vulnerable to the RCE outlined in CVE-2021-44228 or Chainsaw GUI vulnerabilities associated with CVE-2022-23307. This includes LTS versions 7.9 and 8.1, as well as all past and non-LTS versions.
Ignition Critical Settings Issue (Port Reset in 8.1.8). Build removed.GeneralCopy link
Informational. Regression disclosure. Installing Ignition 8.1.8 resets network ports to default values (http=8080, https=8043, Gateway Network=8060). This build was promptly taken down and updated as 8.1.9. Quality assurance remedial actions were taken.
Ignition Critical Settings Issue (UDT import overwrite in 8.1.6). Build removed.GeneralCopy link
Informational. Regression disclosure. Installing Ignition 8.1.6 introduces a problem when importing User Defined Type (UDT) tags. This build was promptly taken down and updated as 8.1.7. Quality assurance remedial actions were taken.