Claroty Team82 discovers cyber security threats to industrial automation systems

In a stark display of persistent threats to industrial automation, security researchers from Team82 at Claroty have discovered a number of vulnerabilities in popular Operational Technology (OT) protocol clients: Inductive Automation Ignition and Softing edgeAggregator. Worryingly, the team at Claroty has shown how these vulnerabilities can be exploited to gain full control over clients, including potentially devastating remote code execution capabilities.

Both ignition and softening systems are an integral part of industrial automation across various industries. Their key functions include these OT clients in the creation and implementation of automation systems and in the collection and visualization of data. Exploiting these properties could therefore have far-reaching and serious consequences.

By linking various vulnerabilities, the Claroty team managed to gain complete control over both clients. These vulnerabilities have been identified as CVE-2023-27335, CVE-2023-38126, CVE-2023-38125, CVE-2023-38121, and CVE-2023-38124. Clarota experts combined “old” and “new” attack strategies to expose zero days in both clients, exploiting the OPC UA client’s trust in the data it receives from the OPC UA server.

Inductive Automation’s Ignition is an industrial automation and control software platform frequently used in a variety of industrial environments, including manufacturing, oil and gas, and water. While examining the Ignition OPC UA client, researchers discovered that the client exhibited an inherent Cross-site Scripting (XSS) vulnerability caused by improper data sanitization from the OPC UA protocol. The XSS vulnerability was then manipulated to perform actions on the user’s behalf that led to code execution.

Softing edgeAggregator presents its users with an efficient data management platform tailored to process large amounts of industrial information from various sources. Similar to the Inductive Automation client, the Softing edgeAggregator was also found to be vulnerable to an XSS attack. Additionally, the team identified an insecure backup procedure on Softing’s server that allowed attackers to write arbitrary files to arbitrary locations, ultimately culminating in remote code execution.

These findings are troubling and have wide-ranging implications for industries dependent on these systems. Be that as it may, the vulnerabilities discovered by Team82 have been patched by both vendors. Softing and Inductive Automation users are advised to immediately update their installations and apply the necessary patches to protect their systems from these newly discovered vulnerabilities.