Inductive Automation announces security vulnerability fix

The ICS-CERT (Industrial Controls Systems Cyber Emergency Response Team) has received a report from Rubén Santamarta concerning a vulnerability in Ignition software from Inductive Automation. This vulnerability allows unauthorized users to download files containing important information about the system and project.

The vulnerability is exploitable by connecting a specific URL address. The successful connection to this URL results in a prompt to download files containing important details about system and project information, including authorized usernames and password hashes.

Inductive Automation has fixed the vulnerability and has issued a patch to address it. ICS-CERT has validated that this patch fully resolves this vulnerability.

Affected versions involved all Ignition versions prior to version 7.2.8.178.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture and product implementation.

To apply the patch, upgrade to any Ignition version higher than 7.2.8.178. The latest version of the 7.2 line is 7.2.11, which can be downloaded at http://www.inductiveautomation.com/downloads/ignition/archive.