CVE-2020-14479: 
Inductive Automation Ignition vulnerability analysis and mitigation

CVE-2020-14479 is a security vulnerability affecting Inductive Automation Ignition software versions 7.0.0 through 7.9.14 and 8.0.1 through 8.0.10. The vulnerability was disclosed in July 2020 and stems from missing authentication for critical function, where sensitive information can be obtained through the handling of serialized data due to lack of proper authentication required to query the server (CISA Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). It is classified under CWE-306 (Missing Authentication for Critical Function). The vulnerability is network-accessible with low attack complexity, requires no privileges or user interaction, and can result in low confidentiality impact (CISA Advisory).

Successful exploitation of this vulnerability could allow an attacker to obtain sensitive information through unauthorized server queries. The vulnerability affects critical infrastructure sectors including Critical Manufacturing, Energy, and Information Technology, primarily deployed in the United States (CISA Advisory).

As of July 2020, there was no direct fix available for CVE-2020-14479. Inductive Automation planned to address this vulnerability in future product versions. In the interim, it is recommended to restrict interaction with the service to trusted machines only. Organizations should implement firewall rules and allow listing to ensure that only clients and servers with legitimate procedural relationships can communicate with the service. Additionally, CISA recommends minimizing network exposure for all control system devices and ensuring they are not accessible from the Internet (CISA Advisory).