OTPulse
FeedAboutContact

OSIsoft PI SQL Client

Plan Patch8.1ICS-CERT ICSA-19-253-06Sep 10, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

A remote code execution vulnerability exists in PI SQL Client 2018 (CVSS 8.1) due to an integer overflow (CWE-190) in how the SQL Client processes network requests. Successful exploitation allows an unauthenticated attacker to execute arbitrary code or cause denial of service, potentially compromising the confidentiality, integrity, and availability of data stored in the PI historian database.

What this means
What could happen
An attacker could run arbitrary commands on the PI SQL Client, potentially accessing, modifying, or deleting historian data stored in the PI System. This could disrupt process analysis, compliance reporting, and operational decision-making that depends on historical process data.
Who's at risk
Organizations using OSIsoft PI System for process historian data collection and analysis, particularly those running PI SQL Client 2018 as the bridge between SQL databases and the PI historian. This affects utilities, manufacturers, and facilities that depend on historical process data for compliance, analytics, and troubleshooting.
How it could be exploited
An attacker with network access to the PI SQL Client (typically port 5464 for HTTPS/SOAP) can send a specially crafted request that triggers an integer overflow, allowing remote code execution. The attack requires no authentication or user interaction.
Prerequisites
  • Network access to PI SQL Client on port 5464 (HTTPS/SOAP) or port 5465 (NetTcp)
  • PI SQL Client 2018 must be deployed and reachable from attacker's network
  • No authentication required
Remotely exploitableNo authentication requiredLow attack complexityHigh EPSS score (9.1%)No patch available for PI SQL Client 2018 (only 2018 R2 or later)
Exploitability
Moderate exploit probability (EPSS 9.1%)
Affected products (1)
ProductAffected VersionsFix Status
PI SQL Client: 2018 (PI SQL Client OLEDB 2018)2018 (PI SQL Client OLEDB 2018)No fix yet
Remediation & Mitigation
0/6
Do now
0/3
WORKAROUNDConfigure PI SQL Client OLEDB 2018 Data Link Advanced Properties to use NetTcp (Port 5465) instead of HTTPS/SOAP (Port 5464)
WORKAROUNDDelete HTTPS/SOAP (Port 5464) from the network protocol order in Data Link settings
HARDENINGRestrict PI SQL Client outbound network connections to only trusted servers via firewall rules
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade PI SQL Client to version 2018 R2 or later
HARDENINGRun PI SQL Client using a least privilege account instead of elevated privileges
Long-term hardening
0/1
HARDENINGDeploy application whitelisting to block unauthorized code execution on systems running PI SQL Client
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/8185bef5-e105-4727-8906-b539ef565a31
OSIsoft PI SQL Client | CVSS 8.1 - OTPulse