OSIsoft PI Interface for DNP3 Improper Input Validation

Low RiskICS-CERT ICSA-14-098-01Jan 9, 2014

Summary

OSIsoft PI Interface for DNP3 contains an improper input validation vulnerability (CWE-20). The interface fails to properly validate incoming data, which could allow an attacker to send malformed input that causes the interface to crash or stop processing data from DNP3 field devices. This vulnerability affects OSIsoft PI Interface for DNP3 versions prior to 3.1.2.54. No vendor patch is available for this product.

What this means

What could happen

An attacker with network access to the PI Interface for DNP3 could send malformed input that causes the interface to crash or become unresponsive, disrupting the collection of real-time energy or water distribution data that your SCADA system depends on.

Who's at risk

Organizations operating water distribution or electric utility SCADA systems that use OSIsoft PI Server with the DNP3 interface module to collect real-time data from field devices. This includes utilities relying on DNP3 protocols for remote terminal units (RTUs), intelligent electronic devices (IEDs), or other fieldbus devices feeding data into the PI historian.

How it could be exploited

An attacker on the network sends specially crafted or invalid input to the PI Interface for DNP3 service. The interface fails to validate the input properly, causing unexpected behavior such as a crash or hang that stops data flow from DNP3 field devices to your PI Server.

Prerequisites

Network connectivity to the PI Interface for DNP3 service port
Interface accessible from attacker's network segment (not behind restrictive firewall)

No patch availableAffects data collection critical to situational awarenessLegacy product

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (1)

ProductAffected VersionsFix Status

OSIsoft PI Interface for DNP3: <3.1.2.54<3.1.2.54No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the PI Interface for DNP3 by using firewall rules to limit connections to only authorized engineering workstations and SCADA operators

Mitigations - no patch available

0/3

OSIsoft PI Interface for DNP3: <3.1.2.54 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate the PI Interface for DNP3 on a protected industrial network segment with limited east-west communication

HARDENINGMonitor for unexpected process restarts or service failures on the PI Interface for DNP3 system

HARDENINGPlan upgrade or replacement of this legacy product if the vendor confirms no fix will be released

CVEs (2)

CVE-2013-2809 CVE-2013-2828

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e371da51-54e9-4db2-bdcc-c90d7997e1c8