In a stark display of the ongoing threats to industrial automations, security researchers from Team82 at Claroty have discovered a series of vulnerabilities in popular Operational Technology (OT) protocol clients: the Inductive Automation Ignition and Softing edgeAggregator. Worryingly, the team at Claroty demonstrated how these vulnerabilities could be exploited to gain full control over the clients, including potentially devastating remote code execution capabilities.
Both the Ignition and Softing systems are integral to industrial automation across diverse sectors. Amongst their crucial functions, these OT clients are instrumental in the creation and implementation of automation systems and in the gathering and visualisation of data. Exploitation of these features could therefore have far-reaching and severe repercussions.
By linking various vulnerabilities, the Claroty squad was successful in taking total control of both clients. These vulnerabilities were identified as CVE-2023-27335, CVE-2023-38126, CVE-2023-38125, CVE-2023-38121 and CVE-2023-38124. The experts at Claroty combined 'old' and 'new' attack strategies to reveal zero days in both clients, exploiting the OPC UA client's faith in the data it obtains from the OPC UA server.
Inductive Automation’s Ignition is a software platform for industrial automation and control that is often used in various industrial environments, including manufacturing, oil and gas, and water. When examining Ignition OPC UA client, the researchers discovered that the client displayed an inherent Cross-site Scripting (XSS) vulnerability, arising from incorrect data sanitisation from the OPC UA protocol. The XSS vulnerability was then manipulated to take actions on behalf of the user, leading to code execution.
Softing edgeAggregator presents its users with a platform for efficient data management tailored to handle copious amounts of industrial information from diverse sources. Similar to the Inductive Automation client, Softing edgeAggregator was also found to be susceptible to an XSS attack. Furthermore, the team identified an insecure backup procedure on the Softing server, which allowed attackers to write arbitrary files in arbitrary locations, ultimately culminating in a remote code execution.
These findings are concerning and have wide-ranging implications for the industries reliant on these systems. Be that as it may, the vulnerabilities detected by Team82 have been rectified by both vendors. Softing and Inductive Automation users are being advised to immediately update their installations, applying the necessary patches to shield their systems from these newfound vulnerabilities.