OSIsoft PI Vision

Plan PatchCVSS 7.1ICS-CERT ICSA-20-014-06Jan 14, 2020

OSIsoft

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Multiple vulnerabilities in OSIsoft PI Vision affect versions prior to 2019. CVE-2019-18275 and CVE-2019-18271 involve improper access control and cross-site request forgery (CWE-284, CWE-352) that could allow unauthorized viewing or modification of PI System data. CVE-2019-18273 affects PI Vision 2017 R2 and R2 SP1 and involves similar access control issues. CVE-2019-18244 affects PI Vision 2017 R2, 2017 R2 SP1, and 2019, involving exposure of sensitive information in setup log files (CWE-532) and cross-site scripting (CWE-79). Successful exploitation may allow disclosure of sensitive information and limit system availability.

What this means

What could happen

An attacker could view or modify PI System data and process configuration information, potentially altering how your plant systems operate. In older versions, sensitive credentials stored in setup logs could be exposed if an attacker gains file access to the PI Vision server.

Who's at risk

Water utilities and municipal electric systems that use OSIsoft PI Vision for real-time monitoring and data visualization of SCADA networks and distributed control systems. Operations, engineering, and control room staff depend on PI Vision for situational awareness. Particularly at risk: facilities running PI Vision 2017 R2, R2 SP1, or early 2019 versions where no security patches are available.

How it could be exploited

For CVE-2019-18275 and CVE-2019-18271, an attacker who can reach your PI Vision web interface and has write access to the AF (Asset Framework) hierarchy could modify PI data sources or event frames. For CVE-2019-18244, if PI Vision is running under a standard domain account (rather than a managed service account), an attacker with file access to the PI Vision server could extract credentials from the SetupPIVision.log file.

Prerequisites

Network access to the PI Vision web interface on port 80/443
For CVE-2019-18275/18271: Write access to the AF Server or PI Vision administrator permissions to add/modify data sources
For CVE-2019-18244: Local or remote file access to the %pihome%\dat\ directory on the PI Vision server

remotely exploitableno authentication required for some paths (CWE-352 CSRF)affects data visualization and control system configurationno patch available for PI Vision 2017 versionsdefault/standard service account configuration creates exposure

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (3)

2 with fix1 pending

ProductAffected VersionsFix Status

CVE-2019-18273: PI Vision 2017 R2 and PI Vision 2017 R2 SP12017 R2 | 2017 R2 SP12019+

CVE-2019-18244: PI Vision 2017 R2 PI Vision 2017 R2 SP1 PI Vision 20192017 R2 | 2017 R2 SP1 | 20192019+

CVE-2019-18275 and CVE-2019-18271: All< 2019No fix yet

Remediation & Mitigation

0/7

Do now

0/5

WORKAROUNDIf running PI Vision 2017 R2 or earlier, immediately remove the SetupPIVision.log file from %pihome%\dat\ to eliminate exposure of stored credentials (CVE-2019-18244)

WORKAROUNDConfigure PI Vision to run using a domain Group Managed Service Account (gMSA) or NetworkService account instead of a standard domain account to prevent credential storage in logs

HARDENINGAudit AF Server permissions and restrict write access to AF hierarchy, element templates, event frame templates, and databases to only authorized engineers and administrators

HARDENINGAudit and document all PI Vision data sources to ensure only legitimate systems are configured, with appropriate role-based access control applied

HARDENINGRestrict network access to PI Vision web interface to authorized engineering networks only; do not expose to the Internet or untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to PI Vision 2019 or later

Long-term hardening

0/1

HARDENINGConfigure dedicated identity mappings for each PI Vision server and manage PI point permissions according to your data classification policy to limit unauthorized data disclosure

CVEs (4)

CVE-2019-18275 CVE-2019-18271 CVE-2019-18273 CVE-2019-18244

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/115b9bcf-1ab2-4807-81bd-65f24aaec629

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.