OSIsoft PI SQL Data Access Server Input Validation Vulnerability

Monitor6.5ICS-CERT ICSA-16-166-01Mar 18, 2016

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

OSIsoft PI SQL Data Access Server contains an input validation vulnerability in the PI JDBC Driver 2015 (versions ≤1.4.1.404) and PI ODBC Driver 2015 (versions ≤3.5.403). The vulnerability allows authenticated users to send specially crafted input that is not properly validated, causing the server to crash and deny service to legitimate queries. This disrupts applications that depend on PI for real-time data retrieval and historical trending.

What this means

What could happen

An authenticated attacker could send specially crafted input to PI SQL Data Access Server to cause a denial of service, disrupting data queries and potentially affecting real-time monitoring of critical process parameters in water and energy systems.

Who's at risk

Water authorities and electric utilities using OSIsoft PI for process data collection and historian functions should be concerned. This affects any system relying on PI JDBC or ODBC drivers for real-time or historical data access from PLCs, remote terminal units (RTUs), or other field devices.

How it could be exploited

An attacker with valid credentials to the PI system must craft malformed SQL input through the PI JDBC or ODBC driver. The server fails to validate the input properly and crashes, making the database unavailable and preventing applications from retrieving historical data or live process values.

Prerequisites

Valid PI system credentials (engineering workstation login)
Network access to PI SQL Data Access Server (typically port 5450 or 5451)
Ability to submit SQL queries via JDBC or ODBC driver

requires valid credentialslow authentication required (internal)no patch availabledenial of service impact

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

PI JDBC Driver 2015: <=1.4.1.404≤ 1.4.1.404No fix (EOL)

PI ODBC Driver 2015: <=3.5.403≤ 3.5.403No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGRestrict network access to PI SQL Data Access Server to authorized engineering workstations and HMI/SCADA servers only using firewall rules

HARDENINGEnforce strong authentication and access control for PI system credentials; audit and remove unnecessary user accounts

WORKAROUNDMonitor PI SQL Data Access Server for unexpected crashes or connection failures; implement logging and alerting for suspicious database access patterns

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: PI JDBC Driver 2015: <=1.4.1.404, PI ODBC Driver 2015: <=3.5.403. Apply the following compensating controls:

HARDENINGIsolate PI systems on a separate network segment with restricted routing to critical production systems

CVEs (1)

CVE-2016-4530

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/40dc6f47-0f78-4b1c-8ca8-dca2eb29dfed