OTPulse
FeedAboutContact

OSIsoft PI AF Server Input Validation Vulnerability

Monitor6.5ICS-CERT ICSA-16-166-02Mar 18, 2016
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

OSIsoft PI AF Server versions 2.8.0 and earlier contain an input validation vulnerability (CWE-20) that allows authenticated users to cause a denial of service by sending specially crafted input. When the server fails to validate input properly, it triggers an unhandled exception that crashes the AF Server process, disconnecting client applications and interrupting data collection and alarm delivery to plant operators.

What this means
What could happen
An authenticated user could send specially crafted input to PI AF Server, causing the service to crash and stop responding to legitimate requests, disrupting plant data historians and process monitoring across connected systems.
Who's at risk
Water utilities and electric utilities relying on OSIsoft PI System for historian and data management. Affects engineers and operators using PI AF (Application Framework) Server for real-time monitoring and alarms. Any facility using PI-based SCADA integration or process data aggregation is at risk of losing visibility into plant operations during a denial-of-service event.
How it could be exploited
An attacker with valid credentials to the PI AF Server (engineering workstation account or administrator) submits malformed input through the AF Server interface or API. The server fails to validate the input properly, triggering an unhandled exception that crashes the AF Server process.
Prerequisites
  • Valid credentials to access PI AF Server (engineering workstation or administrator account)
  • Network access to PI AF Server on the management port (port 5450 by default)
  • Attacker must be authenticated to the system
No patch availableRequires authenticationMedium CVSS (6.5)Could disrupt process monitoring and alarms
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (1)
ProductAffected VersionsFix Status
PI AF Server 2016: <=2.8.0≤ 2.8.0No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1
HARDENINGReview and restrict user access permissions to PI AF Server—remove credentials for users who no longer need access
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXEvaluate upgrading PI AF Server to a version beyond 2.8.0 if available in your deployment roadmap
Mitigations - no patch available
0/2
PI AF Server 2016: <=2.8.0 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement network access controls to limit PI AF Server access to authorized engineering and administrative users only
HARDENINGMonitor PI AF Server for unexpected restarts or service interruptions that could indicate exploitation attempts
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/e0c05aa6-bf61-4deb-a3cf-038a9a9b42cc