CVE-2022-35870: 
Inductive Automation Ignition vulnerability analysis and mitigation

CVE-2022-35870 is a deserialization vulnerability discovered in Inductive Automation Ignition 8.1.15 (b2022030114). The vulnerability was identified during the Pwn2Own 2022 competition by researcher @sn_t of @pentestltd. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed (ZDI Advisory).

The vulnerability exists within the com.inductiveautomation.metro.impl component and results from the lack of proper validation of user-supplied data, which can lead to deserialization of untrusted data. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue is classified as CWE-502 (Deserialization of Untrusted Data) (ZDI Advisory).

An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM, potentially gaining complete control over the affected system (ZDI Advisory).

Inductive Automation has released an update to address this vulnerability. The vendor recommends upgrading to version 8.1.17 or later and hardening Gateway Network configuration by requiring certificate-based SSL/TLS and Two-Way Authentication as outlined in the Ignition Security Hardening Guide (Vendor Advisory).