ICSA-20-315-01_OSIsoft PI Interface for OPC XML-DA

Act NowCVSS 8.1ICS-CERT ICSA-20-315-01Nov 10, 2020

OSIsoft

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

OSIsoft PI Interface for OPC XML-DA contains a buffer overflow vulnerability (CWE-121) in its handling of OPC XML-DA protocol messages. All versions prior to 1.7.3.x are affected. An attacker with network access can send a specially crafted message to trigger memory corruption and execute arbitrary code with the privileges of the PI Interface service. This service is typically used to integrate OPC data sources (PLCs, RTUs, field devices) into the OSIsoft PI System for real-time monitoring and historical data collection in industrial facilities.

What this means

What could happen

An attacker with network access to the PI Interface for OPC XML-DA could execute arbitrary code, potentially allowing them to modify process data, interrupt communications between the PI System and OPC servers, or compromise the integrity of historical data used for operations and compliance reporting.

Who's at risk

Water authorities and utilities using OSIsoft PI System for SCADA data collection and reporting. Specifically, any facility that relies on the PI Interface for OPC XML-DA to bridge OPC data sources (PLCs, RTUs, field devices) to the PI System for real-time monitoring and historical archiving should prioritize this fix.

How it could be exploited

An attacker on the network could send a specially crafted message to the PI Interface for OPC XML-DA service (likely port-based XML-DA protocol traffic). This triggers a buffer overflow or memory corruption flaw that allows the attacker to execute arbitrary code with the privileges of the PI Interface process, which typically has access to process data and control parameters.

Prerequisites

Network access to the PI Interface for OPC XML-DA service
Service must be running with default or typical configuration
No authentication required to trigger the vulnerability

Remotely exploitableNo authentication requiredBuffer overflow / memory corruption (CWE-121)High CVSS score (8.1)High EPSS score (66.7% exploit probability)No patch currently available

Exploitability

Likely to be exploited — EPSS score 68.3%

Affected products (1)

ProductAffected VersionsFix Status

PI Interface for OPC XML-DA: All< 1.7.3.x1.7.3.x+

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the PI Interface for OPC XML-DA service using firewall rules; allow connections only from known OPC servers and PI System components

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade PI Interface for OPC XML-DA to version 1.7.3.x or later

Long-term hardening

0/2

HARDENINGIsolate the PI Interface service and connected OPC servers from the business network and Internet using network segmentation and DMZ placement

HARDENINGIf remote access to the PI system is required, use a VPN with current security patches and restrict VPN users to read-only access where possible

CVEs (1)

CVE-2013-0006

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/628826d6-291c-4af0-bba1-8c81cb250431

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.