CVE-2023-38124: 
Inductive Automation Ignition vulnerability analysis and mitigation

CVE-2023-38124 is a remote code execution vulnerability affecting Inductive Automation Ignition's OPC UA Quick Client Task Scheduling functionality. The vulnerability was discovered during the Pwn2Own Miami competition and disclosed on February 22, 2023. The flaw exists within the Ignition Gateway server and involves the exposure of a dangerous function that could allow authenticated attackers to execute arbitrary code (ZDI Advisory, Inductive Blog).

The vulnerability has been assigned a CVSS v3.0 base score of 7.2 (High) with the vector string AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The specific flaw exists within the Ignition Gateway server and stems from the exposure of a dangerous function. The vulnerability is classified as CWE-749 (Exposed Dangerous Method or Function) (ZDI Advisory).

If successfully exploited, this vulnerability allows an authenticated attacker to execute arbitrary code in the context of SYSTEM on affected installations of Inductive Automation Ignition. This could potentially lead to complete system compromise (ZDI Advisory).

Inductive Automation has released an update to address this vulnerability. Users are advised to upgrade to the latest version of Ignition. The fix was included in Ignition version 8.1.26, which was scheduled for stable release on March 21, 2023 (Inductive Blog).

The vulnerability was discovered during the Pwn2Own Miami competition by researcher '20urdjk'. Inductive Automation was commended by Zero Day Initiative (ZDI) for having the fastest response to the vulnerabilities found during the competition (Inductive Blog).