OSIsoft PI Web API 2015 R2 Service Account Permissions Vulnerability

Monitor6.4ICS-CERT ICSA-16-287-01Jul 17, 2016

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

OSIsoft PI Web API 2015 R2 version 1.5.1 grants service account users excessive permissions that exceed their assigned role privileges. A service account holder can access and modify data and configurations in the PI Web API beyond their intended scope. The vendor has indicated no fix is planned for this product version. This is a permissions misconfiguration vulnerability (CWE-284) affecting the access control framework of the historian API.

What this means

What could happen

An attacker with a valid service account can access data and modify configurations in the PI Web API with privileges beyond their assigned role, potentially compromising process historians and real-time operational data integrity.

Who's at risk

Water and electric utilities rely on OSIsoft PI historians to store and retrieve process data from SCADA systems and control devices. Any system engineer or historian administrator should assess whether their PI Web API deployments use service accounts with unnecessarily broad permissions, particularly in environments where multiple teams access the historian.

How it could be exploited

An attacker with valid PI Web API service account credentials can exploit overly permissive service account permissions to access or modify historian data and configuration settings that should be restricted to higher-privilege accounts. This requires network access to the PI Web API endpoint and a valid service account login.

Prerequisites

Network access to PI Web API endpoint (typically port 443/HTTPS)
Valid service account credentials for PI Web API authentication
Knowledge of available API endpoints or data points to target

No patch availableLow exploit probability (EPSS 0.1%)Requires valid service account credentials

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

PI Web API 2015 R2: 1.5.11.5.1No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGReview and restrict PI Web API service account permissions to the minimum required for their specific operational role

HARDENINGImplement network segmentation to limit access to PI Web API to only authorized engineering and control workstations

HARDENINGEnable and review audit logging for all PI Web API service account activities

Mitigations - no patch available

0/1

PI Web API 2015 R2: 1.5.1 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGMonitor for suspicious API calls or data access patterns from service accounts

CVEs (1)

CVE-2016-8353

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d0bb28de-b544-454f-8ec8-4f846db4026a