CVE-2022-35890 – This vulnerability allows attackers to predict ... (How to Fix)

Q: What is the severity of CVE-2022-35890?

CVE-2022-35890 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to predict previously generated session IDs in Inductive Automation Ignition, enabling session hijacking. Attackers can take over active user sessions in Designer and Vision Client components. Systems running vulnerable versions of Ignition are affected.

📋 TL;DR

This vulnerability allows attackers to predict previously generated session IDs in Inductive Automation Ignition, enabling session hijacking. Attackers can take over active user sessions in Designer and Vision Client components. Systems running vulnerable versions of Ignition are affected.

💻 Affected Systems

Products:

Inductive Automation Ignition

Versions: Versions before 7.9.20 and 8.x before 8.1.17

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both Designer and Vision Client components. All default configurations are vulnerable.

📦 What is this software?

Ignition by Inductiveautomation

View all CVEs affecting Ignition →

Ignition by Inductiveautomation

View all CVEs affecting Ignition →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Ignition systems, unauthorized access to industrial control systems, data theft, and potential manipulation of industrial processes.

🟠

Likely Case

Session hijacking leading to unauthorized access to Ignition interfaces, privilege escalation, and data exfiltration from affected systems.

🟢

If Mitigated

Limited impact with proper network segmentation, but still potential for unauthorized access within the Ignition environment.

🌐 Internet-Facing: HIGH - Internet-facing Ignition instances are directly exploitable by remote attackers.

🏢 Internal Only: HIGH - Internal attackers or compromised internal systems can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The Randy exploit tool is publicly available and demonstrates session ID prediction and hijacking.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.9.20 and 8.1.17

Vendor Advisory: https://support.inductiveautomation.com/hc/en-us/articles/7625759776653

Restart Required: Yes

Instructions:

1. Download and install Ignition version 7.9.20 or 8.1.17 from the Inductive Automation website. 2. Stop all Ignition services. 3. Run the installer. 4. Restart Ignition services. 5. Verify the update completed successfully.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Ignition systems from untrusted networks and implement strict firewall rules.

Session Timeout Reduction

all

Reduce session timeout values to limit the window for session hijacking.

🧯 If You Can't Patch

Implement strict network access controls to limit connections to Ignition systems
Monitor for unusual session activity and implement session termination policies

🔍 How to Verify

Check if Vulnerable:

Check Ignition version in Gateway Web Interface under Status > About, or run 'java -jar ignition.jar --version' from installation directory.

Check Version:

java -jar ignition.jar --version

Verify Fix Applied:

Confirm version is 7.9.20 or higher for Ignition 7, or 8.1.17 or higher for Ignition 8.

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts followed by successful login from different IP
Session ID reuse from different source IPs
Unusual session creation patterns

Network Indicators:

Unexpected connections to Ignition ports (typically 8088, 8043)
Traffic patterns indicating session hijacking attempts

SIEM Query:

source="ignition.log" AND ("session hijack" OR "invalid session" OR "session ID mismatch")

📊 Metadata

CVE ID: CVE-2022-35890

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-863

Published: July 15, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/sourceincite/randy Exploit,Third Party Advisory
https://support.inductiveautomation.com/hc/en-us/articles/7625759776653 Vendor Advisory
https://github.com/sourceincite/randy Exploit,Third Party Advisory
https://support.inductiveautomation.com/hc/en-us/articles/7625759776653 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-35890, you might also want to check these: