CVE-2022-35869 – CVE-2022-35869 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2022-35869?

CVE-2022-35869 has a CVSS score of 9.8 (CRITICAL). CVE-2022-35869 is an authentication bypass vulnerability in Inductive Automation Ignition that allows remote attackers to access protected functionality without credentials. This affects Ignition 8.1.15 installations, enabling attackers to potentially gain unauthorized control of industrial control systems. The vulnerability exists in the web interface component and requires no authentication to exploit.

📋 TL;DR

CVE-2022-35869 is an authentication bypass vulnerability in Inductive Automation Ignition that allows remote attackers to access protected functionality without credentials. This affects Ignition 8.1.15 installations, enabling attackers to potentially gain unauthorized control of industrial control systems. The vulnerability exists in the web interface component and requires no authentication to exploit.

💻 Affected Systems

Products:

Inductive Automation Ignition

Versions: 8.1.15 (specifically build 2022030114)

Operating Systems: All platforms running Ignition

Default Config Vulnerable: ⚠️ Yes

Notes: This specific build version is vulnerable; other versions may also be affected but this was the version tested and confirmed.

📦 What is this software?

Ignition by Inductiveautomation

View all CVEs affecting Ignition →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial control systems, unauthorized access to critical infrastructure, manipulation of industrial processes, data theft, and potential physical damage to equipment.

🟠

Likely Case

Unauthorized access to Ignition Gateway, configuration changes, data exfiltration, and potential lateral movement within industrial networks.

🟢

If Mitigated

Limited impact if systems are isolated, have network segmentation, or additional authentication layers, though the core vulnerability remains exploitable.

🌐 Internet-Facing: HIGH - Directly exploitable without authentication, making internet-facing systems extremely vulnerable to attack.

🏢 Internal Only: HIGH - Even internally, the lack of authentication requirement makes this easily exploitable by any network-connected attacker.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

This vulnerability was discovered and exploited during Pwn2Own 2022, with public technical details available. The exploit requires no authentication and minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.1.16 or later

Vendor Advisory: https://support.inductiveautomation.com/hc/en-us/articles/7625759776653-Regarding-Pwn2Own-2022-Vulnerabilities

Restart Required: Yes

Instructions:

1. Download Ignition 8.1.16 or later from the Inductive Automation website. 2. Backup current configuration and data. 3. Install the updated version following vendor instructions. 4. Restart the Ignition Gateway service.

🔧 Temporary Workarounds

Network Isolation

all

Isolate Ignition systems from untrusted networks and implement strict firewall rules.

Reverse Proxy with Authentication

all

Place a reverse proxy with additional authentication in front of Ignition web interface.

🧯 If You Can't Patch

Implement strict network segmentation to isolate Ignition systems from all untrusted networks
Deploy a web application firewall (WAF) with rules to detect and block authentication bypass attempts

🔍 How to Verify

Check if Vulnerable:

Check Ignition version in Gateway Configuration page or via gateway status API. If version is 8.1.15 (build 2022030114), system is vulnerable.

Check Version:

Check Gateway Status page at http://[ignition-server]:8088/main/system/gateway or use Gateway API

Verify Fix Applied:

Verify version is 8.1.16 or later in Gateway Configuration. Test authentication requirements for all web interface endpoints.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated access to protected endpoints
Authentication bypass attempts in web server logs
Access to /main/system/gateway without proper credentials

Network Indicators:

HTTP requests to Ignition web interface without authentication headers
Unusual access patterns to protected endpoints

SIEM Query:

source="ignition" AND (url_path="/main/system/gateway" OR url_path CONTAINS "/web/") AND auth_status="failed" OR auth_status="none"

📊 Metadata

CVE ID: CVE-2022-35869

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-288

Published: July 25, 2022

Last Updated: November 21, 2024

🔗 References

https://support.inductiveautomation.com/hc/en-us/articles/7625759776653-Regarding-Pwn2Own-2022-Vulnerabilities Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-1016/ Third Party Advisory,VDB Entry
https://support.inductiveautomation.com/hc/en-us/articles/7625759776653-Regarding-Pwn2Own-2022-Vulnerabilities Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-1016/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-35869, you might also want to check these: