OSIsoft PI Web API

Monitor6.9ICS-CERT ICSA-21-313-06Nov 9, 2021

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionRequired

Summary

OSIsoft PI Web API 2019 SPI and earlier contains a cross-site scripting (XSS) vulnerability in the built-in REST API documentation feature (CWE-79). A remote authenticated attacker can craft a malicious link in the documentation endpoint that executes arbitrary JavaScript in the browser of any user who clicks it. This allows the attacker to steal session tokens, user credentials, or historian data, or to inject false data into the Process Historians and other connected systems.

What this means

What could happen

An authenticated attacker could exploit a cross-site scripting (XSS) flaw in PI Web API documentation to steal sensitive information from users or deliver false data into your process historians and analytics dashboards, potentially leading to incorrect operational decisions or process manipulation.

Who's at risk

OSIsoft PI Web API installations at water and utility facilities that rely on PI System for real-time data collection, historian storage, and analytics. Affects engineers, operators, and IT staff who use the PI Web API for process monitoring, reporting, and configuration management. Any organization running PI Web API version 2019 SPI or earlier is at risk.

How it could be exploited

An attacker with valid PI Web API credentials crafts a malicious link containing JavaScript code embedded in the built-in documentation endpoint. When an authorized user (engineer, administrator) clicks the link or visits the documentation, the script executes in their browser session, allowing the attacker to steal session tokens, credentials, or data from the PI System, or inject false historian values.

Prerequisites

Valid PI Web API credentials (engineer or administrative account)
User must be tricked into clicking a malicious link or visiting a crafted documentation URL
PI Web API must have anonymous authentication enabled or victim must be logged in
Network access to PI Web API HTTP/HTTPS endpoint

Remotely exploitableRequires authenticationLow complexity to exploitNo patch available for legacy versionsAffects business intelligence and process historians

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

The following≤ 2019 SPINo fix yet

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDRemove OSIsoft.REST.Documentation.dll from the PI Web API installation directory (default: C:\Program Files\PIPC\WebAPI) to disable built-in documentation and eliminate the attack vector

HARDENINGDisable anonymous authentication in PI Web API configuration; require all users to authenticate

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade PI Web API to version 2021 or later

HARDENINGDeploy a web application firewall rule to block HTML responses from PI Web API servers

HARDENINGFor Kerberos-authenticated PI Web API servers, use Group Policy to deny network authentication for PI Server Administrator accounts on the PI Web API server

Long-term hardening

0/1

HARDENINGAudit the AF (Asset Framework) hierarchy to identify and remove any unauthorized databases, elements, or attributes that an attacker could have modified

CVEs (1)

CVE-2021-43549

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/43428ec3-462a-4174-ad90-e4f0cc17b25f