CVE-2022-35869: 
Inductive Automation Ignition vulnerability analysis and mitigation

The CVE-2022-35869 is an authentication bypass vulnerability affecting Inductive Automation Ignition version 8.1.15. This vulnerability was discovered during the Pwn2Own 2022 competition at the S4x22 conference by researcher @sn_t from @pentestltd. The vulnerability exists within the com.inductiveautomation.ignition.gateway.web.pages component and allows remote attackers to bypass authentication on affected installations without requiring prior authentication (ZDI Advisory).

The vulnerability stems from the lack of proper authentication prior to access to functionality in the Gateway Web Interface. The issue was assessed as a critical privilege escalation vulnerability as it grants an attacker privileged access to the Ignition Gateway Config Page. The vulnerability received a CVSS v3.1 base score of 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) from NVD, while Zero Day Initiative rated it at 7.5 HIGH (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) (NVD).

The successful exploitation of this vulnerability allows attackers to bypass authentication on the system, specifically granting unauthorized access to the Ignition Gateway Config Page. This access could potentially lead to further system compromise as it provides privileged access to critical gateway configurations (Vendor Advisory).

Inductive Automation has released patches to address this vulnerability in versions 8.1.17 and 7.9.20. The vendor recommends that all customers upgrade to these versions or greater to protect their systems from this vulnerability. Additionally, customers should follow the Ignition Security Hardening Guide recommendations for environment configuration, including Defense in Depth strategies (Vendor Advisory).

The vulnerability was discovered during the ICS Pwn2Own competition at S4x22 conference, where Ignition was registered in the Control Server category as one of 10 products selected as competition attack targets. The discovery was part of a larger competition that resulted in 32 entries registered by 11 contestants, with 6 entries specifically targeting Ignition (Vendor Advisory).