|CVSS SCORE||7.5, (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)|
This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Inductive Automation Ignition. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of OPC UA ConditionRefresh requests. By sending a large number of requests, an attacker can consume all available resources on the server. An attacker can leverage this vulnerability to create a denial-of-service condition on the system.
01/20/23 – The ZDI reported this vulnerability to the vendor during the Pwn2Own Miami contest.
07/18/23 – The ZDI asked for an update.
08/01/23 – The vendor states this case does not require immediate servicing and is being tracked in their backlog.
08/01/23 – ZDI informed the vendor that the case will be published as a zero-day advisory on 08/08/23.
-- Mitigation: Given the nature of the vulnerability, the only salient mitigation strategy is to restrict interaction with the application.
|CREDIT||Claroty Research - Team82 - Uri Katz, Noam Moshe, Vera Vens, Sharon Brizinov