CVE-2023-38124
📋 TL;DR
This vulnerability in Inductive Automation Ignition allows authenticated remote attackers to execute arbitrary code with SYSTEM privileges by exploiting an exposed dangerous function in the OPC UA Quick Client task scheduling component. It affects Ignition Gateway installations where attackers have valid credentials. Successful exploitation gives complete control over affected systems.
💻 Affected Systems
- Inductive Automation Ignition
📦 What is this software?
Ignition by Inductiveautomation
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling data theft, ransomware deployment, lateral movement, and persistent backdoor installation across the industrial control network.
Likely Case
Authenticated attackers with legitimate or stolen credentials gain full control over Ignition servers, potentially disrupting industrial operations, stealing sensitive process data, or manipulating control systems.
If Mitigated
With proper network segmentation, strong authentication controls, and least privilege principles, impact is limited to isolated systems with minimal operational disruption.
🎯 Exploit Status
Authentication required but exploit complexity is low once authenticated. Discovered through Pwn2Own competition suggesting weaponization is likely.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched version
Vendor Advisory: https://inductiveautomation.com/blog/inductive-automation-participates-in-pwn2own-to-strengthen-ignition-security
Restart Required: Yes
Instructions:
1. Check current Ignition version. 2. Download and apply latest security patch from Inductive Automation. 3. Restart Ignition Gateway service. 4. Verify patch installation.
🔧 Temporary Workarounds
Disable OPC UA Quick Client
allDisable the vulnerable OPC UA Quick Client component if not required for operations
Navigate to Ignition Gateway configuration > OPC UA settings > Disable Quick Client functionality
Network Segmentation
allIsolate Ignition servers from untrusted networks and implement strict firewall rules
Configure firewall to restrict access to Ignition ports (typically 8060, 8088) to authorized IPs only
🧯 If You Can't Patch
- Implement strict access controls and multi-factor authentication for all Ignition accounts
- Segment Ignition servers on isolated VLANs with strict egress filtering
🔍 How to Verify
Check if Vulnerable:
Check Ignition version against vendor advisory for affected versions. Review if OPC UA Quick Client is enabled in Gateway configuration.Check Version:
Check Ignition Gateway web interface > About section or review ignition-gateway.log for version informationVerify Fix Applied:
Verify installed Ignition version matches or exceeds patched version from vendor advisory. Confirm OPC UA Quick Client functionality is either disabled or patched.📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts to Ignition, unexpected process execution with SYSTEM privileges, abnormal OPC UA Quick Client activity
Network Indicators:
- Suspicious connections to Ignition Gateway ports (8060, 8088) from unauthorized sources, unusual outbound connections from Ignition server
SIEM Query:
source="ignition-gateway.log" AND ("authentication failed" OR "process execution" OR "OPC UA Quick Client")🔗 References
- https://inductiveautomation.com/blog/inductive-automation-participates-in-pwn2own-to-strengthen-ignition-security
- https://www.zerodayinitiative.com/advisories/ZDI-23-1015/
- https://inductiveautomation.com/blog/inductive-automation-participates-in-pwn2own-to-strengthen-ignition-security
- https://www.zerodayinitiative.com/advisories/ZDI-23-1015/
