CVE-2022-35871 – This vulnerability allows unauthenticated remot... (How to Fix)

Q: What is the severity of CVE-2022-35871?

CVE-2022-35871 has a CVSS score of 7.8 (HIGH). This vulnerability allows unauthenticated remote attackers to execute arbitrary Python code with SYSTEM privileges on Inductive Automation Ignition installations. The flaw exists in the authenticateAdSso method which lacks proper authentication before executing code. All systems running affected versions are vulnerable.

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to execute arbitrary Python code with SYSTEM privileges on Inductive Automation Ignition installations. The flaw exists in the authenticateAdSso method which lacks proper authentication before executing code. All systems running affected versions are vulnerable.

💻 Affected Systems

Products:

Inductive Automation Ignition

Versions: 8.1.15 (b2022030114) and potentially earlier versions

Operating Systems: Windows (SYSTEM context indicates Windows)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the Ignition platform used in industrial control systems and SCADA environments.

📦 What is this software?

Ignition by Inductiveautomation

View all CVEs affecting Ignition →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, allowing attackers to install malware, steal data, pivot to other systems, or disrupt industrial operations.

🟠

Likely Case

Remote code execution leading to data theft, ransomware deployment, or unauthorized access to industrial control systems.

🟢

If Mitigated

Limited impact if systems are isolated, monitored, and have additional security controls, though risk remains significant.

🌐 Internet-Facing: HIGH - No authentication required and remote exploitation makes internet-facing systems extremely vulnerable.

🏢 Internal Only: HIGH - Even internal systems are vulnerable to network-based attacks without authentication requirements.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Discovered during Pwn2Own 2022, suggesting exploit development exists. No authentication required lowers barrier to exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.1.16 or later

Vendor Advisory: https://support.inductiveautomation.com/hc/en-us/articles/7625759776653-Regarding-Pwn2Own-2022-Vulnerabilities

Restart Required: Yes

Instructions:

1. Download latest Ignition version from vendor portal. 2. Backup current installation. 3. Run installer to upgrade. 4. Restart Ignition services. 5. Verify version is 8.1.16 or higher.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Ignition systems from untrusted networks and internet access

Firewall Rules

all

Restrict access to Ignition ports (typically 8088, 8043) to trusted IPs only

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit access
Deploy intrusion detection systems and monitor for suspicious Python execution

🔍 How to Verify

Check if Vulnerable:

Check Ignition version in Gateway Web Interface or via gateway status page

Check Version:

Check Gateway Web Interface at http://[ignition-server]:8088/main/system/gateway or review installation directory version files

Verify Fix Applied:

Confirm version is 8.1.16 or higher and test authentication requirements for Python execution

📡 Detection & Monitoring

Log Indicators:

Unauthenticated requests to authenticateAdSso method
Unexpected Python code execution
SYSTEM privilege escalation

Network Indicators:

Unusual traffic to Ignition ports from untrusted sources
Python execution requests without authentication

SIEM Query:

source="ignition" AND (method="authenticateAdSso" OR python_execution) AND auth_status="unauthenticated"

📊 Metadata

CVE ID: CVE-2022-35871

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: July 25, 2022

Last Updated: November 21, 2024

🔗 References

https://support.inductiveautomation.com/hc/en-us/articles/7625759776653-Regarding-Pwn2Own-2022-Vulnerabilities Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-1018/ Third Party Advisory,VDB Entry
https://support.inductiveautomation.com/hc/en-us/articles/7625759776653-Regarding-Pwn2Own-2022-Vulnerabilities Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-1018/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-35871, you might also want to check these: