OSIsoft PI Web API 2019

Plan Patch7.7ICS-CERT ICSA-20-163-01Jun 11, 2020

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionRequired

Summary

OSIsoft PI Web API 2019 Patch 1 (1.12.0.6346) and all earlier versions contain a stored cross-site scripting (XSS) vulnerability. An attacker with write access to PI Server can inject malicious JavaScript into PI Web API that executes in the browser of any authenticated user who accesses a crafted endpoint. The injected code runs with the permissions of the logged-in user, allowing the attacker to view, modify, or delete historical data and configuration settings.

What this means

What could happen

An attacker with write access to PI Server could trick an authorized user into visiting a malicious link that runs JavaScript in their browser, allowing the attacker to view, modify, or delete data in PI Web API according to the victim's permissions.

Who's at risk

Water utilities and electric utilities that use OSIsoft PI Web API 2019 for real-time data access and historian functions, particularly operators and engineers who authenticate to PI Web API to view or configure process data and alarm setpoints.

How it could be exploited

An attacker with PI Server write access crafts a malicious URL containing JavaScript code and tricks an authorized user into clicking it (via email, chat, or other social engineering). When the user visits the link in their browser, the JavaScript executes in the context of the user's authenticated PI Web API session, allowing the attacker to perform actions the user is authorized to perform.

Prerequisites

Attacker must have write access to PI Server
Target user must be authenticated to PI Web API
Target user must click a malicious link or visit a crafted PI Web API endpoint
PI Web API must not have mitigations in place (e.g., web application firewall, DisableWrite setting)

Requires authenticated user interaction (social engineering)Affects data integrity and confidentialityRequires attacker to have PI Server write accessNo public exploit available

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (1)

ProductAffected VersionsFix Status

PI Web API 2019: Patch 1 (1.12.0.6346) and all previous versions≤ 1.12.0.63462019 SP1

Remediation & Mitigation

0/7

Do now

0/2

WORKAROUNDDisable anonymous authentication in PI Web API configuration settings to limit exposure to authenticated users only

WORKAROUNDEnable the DisableWrite setting on PI Web API to remove write access to PI AF servers

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to PI Web API 2019 SP1 or later

HARDENINGDeploy a web application firewall to block HTML responses from PI Web API servers

Long-term hardening

0/3

HARDENINGRestrict write access to PI Server to only trusted users with a documented business need

HARDENINGEnable IE Enhanced Security Configuration on Windows servers with Desktop Experience installed

HARDENINGIsolate PI Web API servers behind a firewall and segment from the business network

CVEs (1)

CVE-2020-12021

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/53945a2a-308a-43bb-b49f-3b71ad0becd7