OSIsoft PI Web API 2017

Plan PatchCVSS 7.1ICS-CERT ICSA-17-164-03Jun 13, 2017

OSIsoft

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

OSIsoft PI Web API versions before 2017 (1.9.0) are vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can trick a logged-in PI Web API user into performing unintended actions on the historian database, including creating, modifying, or deleting data points and configuration elements. The vulnerability requires no special privileges and can be exploited with low skill by crafting a malicious webpage.

What this means

What could happen

A remote attacker could trick a PI Web API user into performing unauthorized actions on the historian (creating, modifying, or deleting data points and assets) by crafting a malicious webpage or email. This could corrupt operational data or disrupt access to critical process information.

Who's at risk

Water utilities and electric utilities that use OSIsoft PI Web API for remote access to PI historians and asset data are affected. This includes operators, engineers, and administrators who access PI Web API through a web browser from workstations connected to your network or remote access.

How it could be exploited

An attacker crafts a malicious webpage and tricks a user of PI Web API into visiting it while logged in. The webpage contains hidden requests that perform unauthorized actions on the historian using the victim's authenticated session. The attacker does not need any credentials themselves—they exploit the user's existing login.

Prerequisites

User must be logged into PI Web API in the same browser session
User must visit an attacker-controlled or compromised webpage while logged in
No authentication or network-level access to PI Web API needed beyond being reachable from the user's workstation

remotely exploitableno authentication required from attackerlow complexityuser interaction required (but user is not suspicious of normal browsing)affects data integrity of operational historian

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

PI Web API:< 2017 (1.9.0)2017 (1.9.0)

Remediation & Mitigation

OSIsoft recommends that users upgrade to the PI Web API version 2017 (1.9.0) and enable CSRF defense. To enable this option, set the configuration attribute ‘EnableCSRFDefense' to ‘True' in the PI Web API System Configuration element. This element is located at the path "..\OSIsoft\PI Web API\PIWebAPIMachineName\System Configuration" in PI AF Server Configuration database. A new installation of PI Web API 2017 (1.9.0) enables CSRF protection by default.

CVEs (1)

CVE-2017-7926

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0b4b915c-6da6-4163-93e6-ea7fc877e4d0

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.