OSIsoft PI Integrator
Act Now9.8ICS-CERT ICSA-17-220-01Aug 8, 2017
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
OSIsoft PI Integrator 2016 contains cross-site scripting (CWE-79) and improper authorization (CWE-285) vulnerabilities in its web interface across the Data Warehouse, Microsoft Azure, SAP HANA SQL Utility, and Business Intelligence editions. These vulnerabilities allow unauthenticated remote attackers to inject malicious scripts and bypass access controls, affecting all versions of the 2016 product line.
What this means
What could happen
An unauthenticated attacker could exploit these web vulnerabilities to inject malicious code into the PI Integrator interface, potentially compromising operator accounts, stealing process data, or gaining unauthorized access to critical analytics and reporting systems that monitor plant operations.
Who's at risk
Water and electric utilities using OSIsoft PI Integrator 2016 for data analytics, business intelligence, and SAP reporting should prioritize this issue. Any organization relying on PI Integrator for real-time process monitoring and historical data analysis is at risk.
How it could be exploited
An attacker on the network or internet could craft a malicious request to the PI Integrator 2016 web interface. The cross-site scripting flaw allows the attacker to inject JavaScript that executes in the operator's browser when they visit a compromised page, stealing session cookies or credentials. The authorization bypass could allow the attacker to directly access restricted functions without valid credentials.
Prerequisites
- Network or internet access to the PI Integrator 2016 web interface (typically port 80/443)
- For XSS exploitation: operator must click a malicious link or visit a compromised page
- For authorization bypass: no credentials required
remotely exploitableno authentication requiredlow complexityno patch availableaffects critical analytics infrastructure
Exploitability
Moderate exploit probability (EPSS 1.1%)
Affected products (4)
4 EOL
ProductAffected VersionsFix Status
PI Integrator for Business Analytics 2016 - Data Warehouse: (All Editions)*No fix (EOL)
PI Integrator for Microsoft Azure: 20162016No fix (EOL)
PI Integrator for Business Analytics and SAP HANA SQL Utility: 20162016No fix (EOL)
PI Integrator for Business Analytics 2016 - Business Intelligence: (All Editions)All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3HARDENINGRestrict network access to PI Integrator 2016 web interface to authorized engineering and operations networks only; require VPN for remote access
WORKAROUNDDeploy a web application firewall (WAF) in front of PI Integrator 2016 to detect and block cross-site scripting and authorization bypass attempts
HARDENINGImplement strong authentication controls (multi-factor authentication) for all operator accounts accessing PI Integrator 2016
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGMonitor web server logs for suspicious requests, authentication failures, and access to unauthorized functions in PI Integrator 2016
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: PI Integrator for Business Analytics 2016 - Data Warehouse: (All Editions), PI Integrator for Microsoft Azure: 2016, PI Integrator for Business Analytics and SAP HANA SQL Utility: 2016, PI Integrator for Business Analytics 2016 - Business Intelligence: (All Editions). Apply the following compensating controls:
HARDENINGEvaluate migration to a newer version of PI Integrator or alternative analytics platform with security patches
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/8729d89a-e3c5-4f10-b652-fce5ff16c861