OSIsoft PI Vision

Plan Patch7.7ICS-CERT ICSA-20-315-02Nov 10, 2020

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionRequired

Summary

OSIsoft PI Vision contains stored cross-site scripting (CWE-79) and improper access control vulnerabilities (CWE-863) in how it processes PI ProcessBook files. An attacker with write access to ProcessBook files can inject malicious code that executes when imported into PI Vision. Additionally, users with insufficient privileges may be able to disclose sensitive information. The vulnerabilities affect PI Vision 2020 and all earlier versions.

What this means

What could happen

An attacker with write access to PI ProcessBook files could inject malicious code that executes when imported into PI Vision, potentially compromising the visualization system and affecting process monitoring and control visibility. An attacker could also disclose sensitive information to users with insufficient access privileges.

Who's at risk

Water and electric utilities using OSIsoft PI Vision for process visualization and monitoring. This affects operations teams and engineering staff who use PI Vision dashboards to view real-time process data and make operational decisions. Organizations where users import PI ProcessBook files from shared storage or external sources are at higher risk.

How it could be exploited

An attacker with write access to PI ProcessBook files injects malicious code into the file. When a user with PI Vision access imports or opens the compromised ProcessBook file, the injected code executes in the user's browser context (stored cross-site scripting). The attacker needs valid write credentials to the file storage system and relies on user interaction to trigger the import.

Prerequisites

Write access to PI ProcessBook file storage or shared directory
Valid credentials for PI ProcessBook or file repository with write permissions
User action required to import or open the compromised ProcessBook file
Target user must have PI Vision access to import files

Requires user interaction to trigger exploitationAuthenticated access required (write credentials to ProcessBook files)Stored cross-site scripting could persist across sessionsInformation disclosure could expose sensitive process parametersAffects process visualization systems critical to operator situational awareness

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

PI Vision 2020: All< PI Vision 20203.5.0

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict network access to PI Vision and PI ProcessBook systems to authorized engineering workstations and control room networks only

HARDENINGRestrict write access to PI ProcessBook files to authorized personnel only and audit access logs

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade PI Vision to version 3.5.0 or later

Long-term hardening

0/2

HARDENINGImplement file integrity monitoring on PI ProcessBook file storage to detect unauthorized modifications

HARDENINGSegment PI Vision and data historian systems from the business network using firewalls and DMZ

CVEs (2)

CVE-2020-25163 CVE-2020-25167

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ce6dad12-141e-4a43-beb5-c644e8dab128