OSIsoft PI System Incomplete Model of Endpoint Features Vulnerability
Monitor7.1ICS-CERT ICSA-16-313-03Aug 12, 2016
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
OSIsoft PI components (AF Client 2016, SDK 2016, Buffer Subsystem, and Data Archive 2105) contain incomplete model of endpoint features, allowing local attackers to cause denial of service through crash or hang conditions. The vulnerability affects systems running these legacy PI versions.
What this means
What could happen
A local attacker with access to a system running affected PI components could cause a denial of service (crash or hang) affecting the availability of the data archive or asset framework operations. This could interrupt data collection, reporting, or process monitoring capabilities in industrial control environments.
Who's at risk
Water authorities and electric utilities running OSIsoft PI systems for data acquisition, archival, and analysis should assess their deployments. This affects PI Asset Framework clients used by engineers and operators, PI SDK used in custom applications, PI Buffer Subsystems, and PI Data Archive servers that collect and store process data.
How it could be exploited
An attacker with local access to a system running PI Asset Framework Client, PI SDK, PI Buffer Subsystem, or PI Data Archive could exploit incomplete endpoint feature validation to trigger a crash or resource exhaustion condition, rendering the affected component unavailable to legitimate users and processes.
Prerequisites
- Local access to a system running affected PI software
- No special credentials or authentication required for exploitation
Local exploitation requiredHigh availability impactNo patch available (end-of-life products)Affects industrial data infrastructure
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (4)
4 EOL
ProductAffected VersionsFix Status
Applications using PI Asset Framework (AF) Client 2016: <2.8.0<2.8.0No fix (EOL)
Applications using PI Software Development Kit (SDK) 2016: <1.4.6<1.4.6No fix (EOL)
PI Buffer Subsystem: <=4.4≤ 4.4No fix (EOL)
PI Data Archive 2105: <3.4.395.64<3.4.395.64No fix (EOL)
Remediation & Mitigation
0/3
Do now
0/1Applications using PI Software Development Kit (SDK) 2016: <1.4.6
HARDENINGRestrict local access to systems running PI AF Client, PI SDK, PI Buffer Subsystem, or PI Data Archive to authorized personnel only through host-based access controls
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGMonitor PI system logs for unexpected crashes or hangs of the affected components as indicators of exploitation attempts
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: Applications using PI Asset Framework (AF) Client 2016: <2.8.0, Applications using PI Software Development Kit (SDK) 2016: <1.4.6, PI Buffer Subsystem: <=4.4, PI Data Archive 2105: <3.4.395.64. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate PI infrastructure from untrusted networks and limit access to engineering workstations and data archive servers only
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/eff9bd46-93ac-4925-b4f3-ba6766747863