cbcvebase.
CVE-2023-39476
published 2024-05-03

CVE-2023-39476: Inductive Automation Ignition JavaSerializationCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote…

PriorityP271critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.78%
75.5th percentile
Inductive Automation Ignition JavaSerializationCodec Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Inductive Automation Ignition. Authentication is not required to exploit this vulnerability. The specific flaw exists within the JavaSerializationCodec class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-20291.

Affected

2 ranges
VendorProductVersion rangeFixed in
inductive_automationignition
inductiveautomationignition>= 8.1.0 < 8.1.358.1.35

Detection & IOCsextracted from sources · hover to see the quote

url/system/ws-control-servelet?name=
snort
alert http1 $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Inductive Automation remoteSystemID Check (CVE-2023-39476)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/system/ws-control-servelet?name="; startswith; fast_pattern; content:"uuid="; pcre:"/^[a-f0-9]{8}-(?:[a-f0-9]{4}-){3}[a-f0-9]{12}/R"; content:"url=http|3a 2f 2f|localhost/system"; endswith; http.header_names; content:"|0d 0a|Connection|0d 0a|"; content:"|0d 0a|Sec-WebSocket-Version|0d 0a|"; content:"|0d 0a|Sec-WebSocket-Key|0d 0a|"; content:"|0d 0a|Upgrade|0d 0a|"; content:"|0d 0a|User-Agent|0d 0a|"; content:"|0d 0a|Host|0d 0a|"; reference:url,www.zerodayinitiative.com/advisories/ZDI-23-1046/; reference:url,xz.aliyun.com/t/12813; reference:cve,2023-39476; classtype:attempted-admin; sid:2047920; rev:2;)
  • Exploit traffic uses HTTP GET to the path /system/ws-control-servelet?name= with a UUID parameter and a url= parameter pointing to localhost/system, combined with WebSocket upgrade headers (Sec-WebSocket-Version, Sec-WebSocket-Key, Upgrade).
  • The exploit does not require authentication; any unauthenticated HTTP GET request matching the above pattern from external networks should be treated as a high-confidence attack attempt.
  • The vulnerability resides in the JavaSerializationCodec class; monitor for deserialization payloads delivered over the WebSocket upgrade endpoint.
  • Successful exploitation results in code execution as SYSTEM; correlate with unexpected SYSTEM-level process spawning from the Ignition service process.
  • ·The Snort/Suricata rule (sid:2047920) requires SSL/TLS inspection to be effective when Ignition is deployed behind HTTPS; the metadata tag 'deployment SSLDecrypt' confirms this requirement.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.