OTPulse
FeedAboutContact

AVEVA PI Asset Framework Client

Monitor7.3ICS-CERT ICSA-24-163-03Jun 11, 2024
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary

AVEVA PI Asset Framework Client contains a deserialization vulnerability (CWE-502) that could allow malicious code execution. Affected versions are PI AF Client 2023 and PI AF Client 2018 SP3 P04 and prior. The vulnerability is not remotely exploitable and requires local access and user interaction (opening a malicious XML file) to exploit.

What this means
What could happen
An attacker could execute arbitrary code on an engineering workstation running PI Asset Framework Client by tricking a user into importing a malicious XML file. This could compromise the integrity of your PI System configuration, process data, or enable lateral movement to connected systems.
Who's at risk
Organizations using AVEVA PI Asset Framework Client for plant process monitoring and asset management, particularly those with PI AF Client 2023 or 2018 SP3 P04 deployments. This affects engineering teams and IT staff who use PI System Explorer to manage process data and system configurations.
How it could be exploited
An attacker sends a malicious XML file to a user with access to PI System Explorer (bundled with PI AF Client). When the user imports the XML file into the application, the unsafe deserialization flaw allows the attacker's code to execute with the privileges of that user account.
Prerequisites
  • Local or physical access to the engineering workstation
  • User with PI AF Client installed must manually import a malicious XML file
  • User interaction (user must be social engineered to open/import the file)
Low complexity to exploit (requires user clicking a file)Requires user interaction (social engineering via malicious XML)Affects engineering workstations with potential access to critical systemsNo patch available for PI AF Client 2023 base version (only Patch 1+ fixes it)CWE-502 unsafe deserialization is a known dangerous pattern
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (2)
2 pending
ProductAffected VersionsFix Status
PI Asset Framework Client: 20232023No fix yet
PI Asset Framework Client: <=2018_SP3_P04≤ 2018 SP3 P04No fix yet
Remediation & Mitigation
0/5
Do now
0/1
WORKAROUNDEstablish a procedure to verify the source and integrity of XML files before importing them into PI System Explorer
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade PI AF Client 2023 to Patch 1 or later
HOTFIXUpgrade PI AF Client 2018 SP3 to Patch 5 or later
Long-term hardening
0/2
HARDENINGRun PI System Explorer with least-privilege user account (non-administrative) when possible
HARDENINGIsolate PI AF Client systems from the internet and restrict network access via firewall
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/94fddc7b-1f47-4dd0-ae0f-8f3a6afb7696
AVEVA PI Asset Framework Client | CVSS 7.3 - OTPulse