OTPulse
FeedAboutContact

OSIsoft PI OPC DA Interface Buffer Overflow

Low RiskICS-CERT ICSA-12-201-01Apr 22, 2012
Summary

A stack-based buffer overflow exists in OSIsoft PI OPC DA Interface versions prior to 2.3.20.9. The vulnerability is triggered when the interface processes certain OPC requests, allowing an attacker to cause a denial of service (crash) or potentially execute arbitrary code with the privileges of the PI interface service. This could disrupt real-time data collection from OPC-connected field devices and historical data recording in the PI system.

What this means
What could happen
A buffer overflow in the PI OPC DA Interface could allow an attacker to crash the interface service or execute arbitrary code, disrupting real-time data flow between the PI system and OPC servers and potentially affecting process monitoring and control.
Who's at risk
Water utilities, electric utilities, and process manufacturers using OSIsoft PI data historians with OPC DA connectivity. This affects any facility that relies on OPC (OLE for Process Control) to bridge legacy industrial devices or SCADA systems to PI monitoring and reporting systems.
How it could be exploited
An attacker would need network access to the PI OPC DA Interface service (typically port 135/TCP for COM/DCOM) and could send a specially crafted OPC request that overflows a buffer in the interface process, leading to service crash or code execution with the privileges of the PI interface process.
Prerequisites
  • Network access to PI OPC DA Interface service (port 135 or dynamic DCOM port)
  • OPC client connectivity or ability to send OPC requests to the interface
remotely exploitableno patch availablebuffer overflow vulnerabilityaffects data acquisition integrity
Exploitability
Moderate exploit probability (EPSS 8.3%)
Affected products (1)
ProductAffected VersionsFix Status
PI OPC DA Interface: <2.3.20.9<2.3.20.9No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGImplement network segmentation to restrict access to the PI OPC DA Interface service; limit inbound connections to authorized OPC clients and engineering workstations only
WORKAROUNDDeploy firewall rules to block inbound DCOM/COM traffic (port 135, RPC dynamic ports) from untrusted networks to the PI OPC DA Interface server
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor network traffic to and from the PI OPC DA Interface for suspicious OPC requests
Long-term hardening
0/1
HOTFIXUpgrade or migrate to a newer version of OSIsoft PI System that includes the OPC DA Interface with security improvements
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/7eedd5f5-9170-446e-87fe-de89e59f6509