OTPulse
FeedAboutContact

OSIsoft PI Coresight

Plan Patch7.1ICS-CERT ICSA-17-192-04Jul 11, 2017
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

PI Coresight version 2016 R2 and earlier contains a cross-site request forgery (CSRF) vulnerability that allows an attacker to send malicious requests to the application when a user is logged in. The vulnerability is remotely exploitable with no authentication required beyond tricking a logged-in user into clicking a malicious link or visiting a compromised site.

What this means
What could happen
An attacker can perform unauthorized actions in PI Coresight (such as modifying process configurations, dashboards, or data) by tricking logged-in users into clicking malicious links, potentially affecting visibility and control of industrial processes.
Who's at risk
Water utilities and electric utilities that use OSIsoft PI Coresight for SCADA dashboard, process monitoring, and alarm management should assess their exposure. Specifically, organizations running version 2016 R2 or earlier are vulnerable if users access PI Coresight from browsers that also access untrusted websites.
How it could be exploited
An attacker crafts a malicious web page or link containing a request to PI Coresight (e.g., to change alarms, modify setpoints, or alter user permissions). When a user with an active PI Coresight session clicks the link or visits the page, the browser automatically submits the request to the PI Coresight server, bypassing normal user consent.
Prerequisites
  • User must have an active, authenticated session in PI Coresight
  • User must visit attacker-controlled website or click attacker-supplied link while logged into PI Coresight
  • PI Coresight must be reachable from the internet or the network where the user visits the malicious content
Remotely exploitableNo authentication required beyond user sessionLow complexity attack (user interaction required but straightforward)Affects process visibility and control systemsNo patch available for version 2016 R2 and earlier
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (1)
ProductAffected VersionsFix Status
PI Coresight: 2016 R2 and earlier versions< 2016 R22016 R2 Update 1
Remediation & Mitigation
0/5
Do now
0/1
WORKAROUNDRestrict access to PI Coresight using firewall rules to limit connections to authorized administrative and engineer workstations only
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade PI Coresight to version 2016 R2 SP1 or later (or latest available version if newer releases exist)
HARDENINGEnforce regular user session timeouts in PI Coresight to reduce the window of exposure
Long-term hardening
0/2
HARDENINGImplement network segmentation to isolate PI Coresight from general corporate networks and the internet
HARDENINGEducate users and operators not to click suspicious links or visit untrusted websites while logged into PI Coresight or other critical systems
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/6c021fca-577c-49a4-bc2d-1ef91c58a264
OSIsoft PI Coresight | CVSS 7.1 - OTPulse