AVEVA PI Server

Monitor7.5ICS-CERT ICSA-24-018-01Jan 18, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

AVEVA PI Server versions 2023 and 2018 SP3 Patch 5 or earlier contain vulnerabilities (CWE-703, CWE-772) in the PI Message Subsystem that can be exploited to cause crashes or excessive memory consumption. An attacker with network access to port 5450 can trigger a partial denial-of-service condition affecting data collection and archiving operations. No public exploitation has been reported. Vendors have released patches: PI Server 2023 Patch 1 or later, and PI Server 2018 SP3 Patch 6 or later.

What this means

What could happen

An attacker could crash the PI Message Subsystem or cause it to consume excessive memory, resulting in partial loss of PI Server data collection and archiving functions. This would disrupt real-time data availability needed for process monitoring and control decisions.

Who's at risk

Water authorities and utilities operating AVEVA PI Server for real-time operational data monitoring and archiving. Affects PI Server 2023 and PI Server 2018 SP3 Patch 5 or earlier. Any facility relying on PI Server for SCADA data collection, historians, or operational dashboards would experience data availability impact if the Message Subsystem crashes.

How it could be exploited

An attacker with network access to port 5450 (PI Message Subsystem port) can send specially crafted messages without authentication to trigger a crash or memory exhaustion condition in the PI Message Subsystem component, causing denial of service to data collection services.

Prerequisites

Network access to TCP port 5450 (PI Message Subsystem)
No authentication required
PI Server must be running on an accessible network segment

Remotely exploitableNo authentication requiredLow complexity attackDenial of service impact on operational data collectionNetwork-accessible component

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (2)

2 pending

ProductAffected VersionsFix Status

PI Server: 20232023No fix yet

PI Server: <=2018_SP3_P05≤ 2018 SP3 P05No fix yet

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDConfigure PI Message Subsystem to auto-restart to automatically recover from crashes

WORKAROUNDImplement firewall rules to restrict network access to port 5450 to only trusted workstations and authorized PI Server clients

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade PI Server 2023 to Patch 1 or later, or upgrade PI Server 2018 SP3 to Patch 6 or later

HARDENINGMonitor PI Message Subsystem memory usage with alerts for abnormal consumption

HARDENINGRestrict write access to PI Server Message Log via the PIMSGSS entry in the Database Security plugin to authorized users only

Long-term hardening

0/1

HARDENINGIsolate PI Server network from internet and limit remote access via VPN with defense-in-depth network segmentation

CVEs (2)

CVE-2023-34348 CVE-2023-31274

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7c0301ad-3027-4212-be4f-27e7f87c6217