CVE-2022-35871: 
Inductive Automation Ignition vulnerability analysis and mitigation

This vulnerability (CVE-2022-35871) affects Inductive Automation Ignition 8.1.15 (b2022030114) and allows remote attackers to execute arbitrary code. The vulnerability exists within the authenticateAdSso method and stems from a lack of authentication prior to allowing the execution of python code. The issue was discovered during the Pwn2Own 2022 competition by researchers Daan Keuper and Thijs Alkemade from Computest (ZDI Advisory, Vendor Advisory).

The vulnerability is classified as a missing authentication for critical function vulnerability (CWE-306). It has a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H. The specific flaw exists within the authenticateAdSso method, which is part of the 'classic' Active Directory authentication with Single Sign-On enabled feature. The vulnerability allows authentication bypass, enabling attackers to authenticate as any user (ZDI Advisory).

An attacker can leverage this vulnerability to execute code in the context of SYSTEM. The vulnerability grants attackers privileged access to the Ignition Designer, potentially allowing them to execute arbitrary code on the affected system. This could lead to complete system compromise, affecting the confidentiality, integrity, and availability of the system (Fortiguard IPS, ZDI Advisory).

Inductive Automation has released patches in versions 8.1.17 and 7.9.20 to address this vulnerability. The fix involves disabling the SSO feature, meaning that Ignition users will be prompted for a username and password each time they run the Designer or Vision Client. The 'SSO Enabled' setting on all AD User Source Profile configuration pages will be disabled and unavailable regardless of prior configuration (Vendor Advisory).

The vulnerability was discovered during the Pwn2Own competition at the S4x22 conference, where Ignition was registered in the Control Server category. The discovery was part of a successful demonstration by researchers from Computest Sector 7, highlighting the importance of security testing in industrial control systems (Vendor Advisory).