OSIsoft PI Vision
Plan Patch7.1ICS-CERT ICSA-20-014-06Jan 14, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Multiple vulnerabilities in OSIsoft PI Vision affect versions prior to 2019. CVE-2019-18275 and CVE-2019-18271 involve improper access control and cross-site request forgery (CWE-284, CWE-352) that could allow unauthorized viewing or modification of PI System data. CVE-2019-18273 affects PI Vision 2017 R2 and R2 SP1 and involves similar access control issues. CVE-2019-18244 affects PI Vision 2017 R2, 2017 R2 SP1, and 2019, involving exposure of sensitive information in setup log files (CWE-532) and cross-site scripting (CWE-79). Successful exploitation may allow disclosure of sensitive information and limit system availability.
What this means
What could happen
An attacker could view or modify PI System data and process configuration information, potentially altering how your plant systems operate. In older versions, sensitive credentials stored in setup logs could be exposed if an attacker gains file access to the PI Vision server.
Who's at risk
Water utilities and municipal electric systems that use OSIsoft PI Vision for real-time monitoring and data visualization of SCADA networks and distributed control systems. Operations, engineering, and control room staff depend on PI Vision for situational awareness. Particularly at risk: facilities running PI Vision 2017 R2, R2 SP1, or early 2019 versions where no security patches are available.
How it could be exploited
For CVE-2019-18275 and CVE-2019-18271, an attacker who can reach your PI Vision web interface and has write access to the AF (Asset Framework) hierarchy could modify PI data sources or event frames. For CVE-2019-18244, if PI Vision is running under a standard domain account (rather than a managed service account), an attacker with file access to the PI Vision server could extract credentials from the SetupPIVision.log file.
Prerequisites
- Network access to the PI Vision web interface on port 80/443
- For CVE-2019-18275/18271: Write access to the AF Server or PI Vision administrator permissions to add/modify data sources
- For CVE-2019-18244: Local or remote file access to the %pihome%\dat\ directory on the PI Vision server
remotely exploitableno authentication required for some paths (CWE-352 CSRF)affects data visualization and control system configurationno patch available for PI Vision 2017 versionsdefault/standard service account configuration creates exposure
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (3)
2 with fix1 pending
ProductAffected VersionsFix Status
CVE-2019-18273: PI Vision 2017 R2 and PI Vision 2017 R2 SP12017 R2 | 2017 R2 SP12019 or later
CVE-2019-18244: PI Vision 2017 R2 PI Vision 2017 R2 SP1 PI Vision 20192017 R2 | 2017 R2 SP1 | 20192019 or later
CVE-2019-18275 and CVE-2019-18271: All< 2019No fix yet
Remediation & Mitigation
0/7
Do now
0/5WORKAROUNDIf running PI Vision 2017 R2 or earlier, immediately remove the SetupPIVision.log file from %pihome%\dat\ to eliminate exposure of stored credentials (CVE-2019-18244)
WORKAROUNDConfigure PI Vision to run using a domain Group Managed Service Account (gMSA) or NetworkService account instead of a standard domain account to prevent credential storage in logs
HARDENINGAudit AF Server permissions and restrict write access to AF hierarchy, element templates, event frame templates, and databases to only authorized engineers and administrators
HARDENINGAudit and document all PI Vision data sources to ensure only legitimate systems are configured, with appropriate role-based access control applied
HARDENINGRestrict network access to PI Vision web interface to authorized engineering networks only; do not expose to the Internet or untrusted networks
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpgrade to PI Vision 2019 or later
Long-term hardening
0/1HARDENINGConfigure dedicated identity mappings for each PI Vision server and manage PI point permissions according to your data classification policy to limit unauthorized data disclosure
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/115b9bcf-1ab2-4807-81bd-65f24aaec629