OSIsoft PI Web API

Plan Patch8.5ICS-CERT ICSA-19-225-02Aug 13, 2019

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

OSIsoft PI Web API versions 2018 and prior contain multiple security vulnerabilities (CWE-532: Insertion of Sensitive Information into Log File, CWE-693: Protection Mechanism Failure) that allow direct attacks against the product and disclosure of sensitive information. The vulnerabilities affect confidentiality, integrity, and availability.

What this means

What could happen

An attacker with login credentials could exploit these vulnerabilities to access the PI Web API service, potentially disclose sensitive operational data stored in logs, or perform unauthorized actions on connected process historians and data sources. This could expose production setpoints, alarm thresholds, and operational metrics to unauthorized users.

Who's at risk

Water utilities, electric utilities, and manufacturers using OSIsoft PI System for data collection and real-time monitoring should prioritize this. The PI Web API is commonly used by engineering workstations, historian servers, and plant information portals to access process data, alarm histories, and equipment status. Organizations relying on PI Web API for supervisory dashboards or mobile access to process data are directly affected.

How it could be exploited

An attacker with valid PI Web API user credentials exploits authentication and authorization weaknesses to access the web interface and trigger log disclosure or cross-site request forgery (CSRF) attacks. The attacker could trigger sensitive information to be written to application debug logs, or use CSRF to perform actions on behalf of authenticated users if CSRF defense is disabled.

Prerequisites

Valid PI Web API user credentials
Network access to the PI Web API web service
Debug logging enabled on the PI Web API server (for information disclosure)
CSRF defense disabled (EnableCSRFDefense setting toggled off) for CSRF exploitation

Requires valid credentials (not unauthenticated)Remotely exploitable over networkAffects confidentiality and integrity of operational dataMedium exploit complexity (CVSS AC:H)Low exploit probability (0.2% EPSS)Not actively exploited in the wild

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

PI Web API: 2018 and prior≤ 20182018 SP1 or later

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDDisable the PI Web API Application Debug log by opening Event Viewer, navigating to Applications and Services Logs > PIWebAPI > Debug, right-clicking Debug log, and selecting Disable Log

HARDENINGVerify that the EnableCSRFDefense configuration setting is enabled (default in new installations) and leave it unchanged; if toggled, restart the PI Web API service after any changes

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade PI Web API to version 2018 SP1 or later

Long-term hardening

0/2

HARDENINGRestrict network access to PI Web API to authorized engineering workstations and historian collection points using firewall rules

HARDENINGReview and enforce strong password policies and multi-factor authentication for PI Web API user accounts

CVEs (2)

CVE-2019-13515 CVE-2019-13516

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/852aa5ef-69ed-4c22-aca3-9cde3b5e5782