OSIsoft PI Web API

Act Now9.3ICS-CERT ICSA-18-072-04Mar 13, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

OSIsoft PI Web API versions 2017 R2 and earlier contain access control and cross-site scripting (XSS) vulnerabilities that allow unauthenticated attackers to read sensitive operational data and inject malicious content. The vulnerability can be exploited remotely with low skill level and no user interaction required. Affected organizations should upgrade to PI Vision 2017 R2 Update 1 or PI AF Services 2017 R2 Update 1.

What this means

What could happen

An unauthenticated attacker on the network could exploit this vulnerability to read sensitive operational data from your PI system (such as real-time process values, historical data, and system configurations) or inject malicious content into reports and dashboards viewed by operators.

Who's at risk

Water and electric utilities, manufacturing facilities, and refineries using OSIsoft PI System for process monitoring and historian functions. Any organization where PI Web API is deployed and exposed to network access should be concerned about this vulnerability affecting data confidentiality and integrity.

How it could be exploited

An attacker with network access to the PI Web API endpoint could send specially crafted requests without credentials to access data or inject malicious scripts. No authentication is required and the attack complexity is low, making this straightforward to execute against exposed PI Web API instances.

Prerequisites

Network access to PI Web API (typically port 443 or 80)
PI Web API version 2017 R2 or earlier
No credentials or authentication required

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.3)affects operational data systems

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

PI Web API:≤ 2017 R22017 R2 Update 1

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to PI Web API endpoints using firewall rules; limit exposure to only authorized engineering workstations and control systems

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to PI Vision 2017 R2 Update 1 or PI AF Services 2017 R2 Update 1

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate PI servers from untrusted networks and the internet

CVEs (2)

CVE-2018-7500 CVE-2018-7508

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/106a9283-632a-436c-8f00-84e186234eb7